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CYBERSECURITY— GETTING IT RIGHT 


Tuesday, July 22, 2003 

U.S. House of Representatives, 
Subcommittee on Cybersecurity, Science, 

AND Research and Development, 

Select Committee on Homeland Security, 

Washington, D.C. 

The subcommittee met, pursuant to call, at 10:05 a.m., in Room 
2118, Rayburn House Office Building, Hon. Mac Thornberry [chair- 
man of the committee] presiding. 

Present: Representatives Thornberry, Sessions, Camp, Cox [ex 
officio], Lofgren, Jackson-Lee, Christensen, Etheridge, Lucas, and 
Langevin. 

Mr. Thornberry. The hearing will come to order. This oversight 
hearing of the Subcommittee on Cybersecurity, Science, and Re- 
search and Development will hear today on the topic of 
“Cybersecurity — Getting It Right.” This is the next in a series of 
hearings that this subcommittee has had on cybersecurity. We have 
had virtually unanimous recommendations from previous witnesses 
that, among other things, research and development is a key role 
for the Federal Government. And we are here today to hear from 
some outstanding witnesses to help guide us in that research and 
development for the future. 

Before proceeding further, let me turn to the distinguished Rank- 
ing Member of this subcommittee, the gentlelady from California, 
for any opening comments she would like to make. 

Ms. Lofgren. Thank you. Chairman Thornberry, for scheduling 
this hearing today and for your wonderful leadership of this sub- 
committee. 

When the subcommittee was formed back in February, Chairman 
Thornberry and I met to discuss our common agenda and priorities. 
And at that meeting we both agreed that the subcommittee should 
spend considerable time studying incredibly complex sets of issues 
surrounding cybersecurity, and we decided to embark on a mission 
to educate and inform the members of the subcommittee. We felt 
the need to establish a knowledge base before we attempted to 
tackle any possible policy directives or legislative initiatives. 

Soon after our initial meeting, we began this educational process. 
At our first meeting, we heard from Dr. Charles McCreary on the 
work being done within the Science and Technology Directorate at 
the Department of Homeland Security. Soon after that, we began 
a series of hearings on the cybersecurity issue. First, we looked into 
threats, vulnerabilities, and possible responses to cyber attacks. 
Last week, we heard from industry leaders on their experiences. 

( 1 ) 
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In addition to these hearings, we have held several briefings on 
cyher issues, including a classified briefing on cyber threats. Chair- 
man Thornberry and I have also had individual meetings with aca- 
demics, business leaders, and public policy experts. All of these 
meetings and hearings have been quite informative, and helped the 
members of this committee to get a handle on the scope of the 
issues we face. I believe that this subcommittee is beginning to 
have a solid understanding of the cyber question, and I am sure we 
are going to build on this foundation today. 

Today, we will explore the research agenda that will help us to 
better secure cyberspace. Our panelists represent academia, the na- 
tional security community, and industry, and all are well-versed on 
cyber issues. Scientific research and innovative technology may 
hold some of the most promising solutions to our IT vulnerabilities, 
and I believe that we can stay one step ahead of hackers and cyber 
terrorists if government works in a coordinated way with the pri- 
vate sector. 

I look forward to learning more about the advanced technology 
programs that currently exist and the ones that need to receive 
higher priority and funding. I want to hear about the current ef- 
forts to share information between the private sector, the govern- 
ment, and academia. Government, and this subcommittee in par- 
ticular, should play a role in helping these diverse entities work to- 
gether to reduce all our vulnerabilities and better secure cyber- 
space. 

I am looking forward to hearing from all of our witnesses today, 
but I especially want to welcome and thank Dr. Shankar Sastry, 
Chairman of the Electrical Engineering and Computer Sciences De- 
partment at UC-Berkley. I have had the pleasure of discussing 
these issues with Dr. Sastry before, and I appreciate you coming 
all the way to be with us here today. 

Finally, as I mentioned in my opening statement at last week’s 
hearing, I have great concerns about the Bush administration’s 
cybersecurity program. In the last 6 months, the most senior Bush 
administration cyber officials have left the government. These indi- 
viduals include Richard Clark, the Special Advisor to the President 
for Cybersecurity; Howard Schmidt, the Vice Chair of the Presi- 
dent’s Critical Infrastructure Board and Clark’s replacement; Ron 
Dick, the Chairman of the NIPC; and John Tritak, Director of 
CIAO. The last two organizations are part of the National 
Cybersecurity Division at DHS which was created on June 6th of 
this year. To date, no director has been named for this division. 
The NCSD is located within the DHS Information Analysis and In- 
frastructure protection directorate, reporting to the Assistant Sec- 
retary for Infrastructure Protection. Some cybersecurity-related 
R&D activities, however, will take place within the DHS Science 
and Technology Directorate. 

I believe that this situation where it is buried within the bu- 
reaucracy is questionable, and that once a person is finally chosen 
to lead the division, he or she may not receive the high-level access 
to Secretary Ridge and the White House that is warranted. 

The House is going to adjourn at the end of this week for the 
summer district work period, and when we return in the fall, I look 
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forward to hearing directly from the Department of Homeland Se- 
curity on their cyhersecurity agenda. 

I thank Chairman Thornherry for scheduling this hearing, and I 
thank him for his leadership and for working so well and honestly 
with me. And I thank you, too, our witnesses, for their testimony, 
and finally to the committee staff for their outstanding work. 

Mr. Thornberry. Let me thank the gentlelady, and express 
agreement with the concerns that she has raised. We will be hear- 
ing from the Department of Homeland Security when we return, 
and this committee as well as the full committee, I know, will be 
certainly engaged with them. 

The Chair is going to yield his time for an opening statement to 
the distinguished chairman of the full committee, the gentleman 
from California, Mr. Cox. 

Mr. Cox. I thank the Chairman and the Ranking Member. And 
I will be brief, because we have an excellent panel of witnesses 
today and I, like you, am anxious to hear from them. I want to 
thank you both for organizing today’s hearing and for your contin- 
ued diligence in examining the cyber threat, and for this sub- 
committee’s focus on the Department of Homeland Security’s mis- 
sion to counter this new and worrisome threat. I would also like 
formally to thank our witnesses for making the time to be with us 
today. 

Just as our focus on science, including notably the Manhattan 
Project, contributed to our victories in World War II and in the 
Cold War, a similar comprehensive commitment to scientific in- 
quiry, to basic research, and to the development of innovative tech- 
nologies is necessary if we are going to win the current war on ter- 
rorism. For that reason alone, the cyber challenge in particular re- 
quires a mobilization of the American scientific community. 

As recently reported by the National Research Council, the 
United States information system vulnerabilities from the stand- 
point of both operations and technology are growing faster than the 
country’s ability, if not willingness, to respond. This is a critical 
fault that we have got to address, because technology is at the cen- 
ter of our economy, our civilian and defense critical infrastructure, 
our communications systems, and indeed every aspect of our way 
of life. 

Superior technology will, therefore, be at the heart of our efforts 
to prevent and to deal with cyber attacks. We must leverage our 
superior research community resources to address risks and harden 
our critical physical and electronic infrastructure. 

Under Chairman Thornberry’s leadership, this subcommittee has 
held three hearings and a productive half-day workshop on this 
issue. During these hearings, representatives from industry, gov- 
ernment, and academia have confirmed our understanding the 
gravity of the cyhersecurity threat and of the importance of the De- 
partment of Homeland Security’s role in addressing it. 

The workshop held yesterday morning, which was co-sponsored 
by the Congressional Research Service staff, not only accentuated 
the threat, but stressed the importance of the public-private part- 
nership in developing solutions. Today’s hearing will increase our 
appreciation for the research being done to address the cyber 
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threat. Each of our witnesses today represents a different facet of 
the cyber research community. 

The Department of Homeland Security, to be effective in its ana- 
lytic and policy mission, must have a clear understanding of the 
best research being done and where it is going. In exercising over- 
sight, this committee will want to measure the Department’s 
progress over time in coordinating governmentwide cyber pro- 
grams, in advancing research and development efforts to reduce 
cyber vulnerabilities, in improving our capabilities to respond to at- 
tacks, and in accelerating our efforts to promote computer security 
awareness training across the country. 

I look forward to hearing from our witnesses about research pri- 
orities, both in the Federal Government and in the private sector 
and in academia, and about ways that the Department of Home- 
land Security can support and capitalize on your efforts. 

Mr. Chairman, thank you again for your personal commitment, 
and also our Ranking Member for your personal commitment and 
for your exemplary performance and the performance of this sub- 
committee on this issue. I yield back. 

[The information follows:] 

PREPARED OPENING STATEMENT OF THE HONORABLE CHRISTOPHER 
COX, CHAIRMAN, SELECT COMMITTEE ON HOMELAND SECURITY 

I would like to thank Chairman Thornberry and Ranking Member Lofgren for or- 
ganizing today’s hearing, for their continued diligence in examining the cyber 
threat, and for their focus on the Department of Homeland Security’s mission to 
counter this new and worrisome threat. I would also like to thank the witnesses for 
making the time to share their valuable insights with us today. 

As many of you know, the Manhattan Project, launched in 1942, marked the es- 
tablishment of a sustained and successful U.S. nuclear science program that grew 
stronger and stronger in subsequent years. This focus on science contributed to our 
victory in World War II and in the Cold War. The current War on Terrorism re- 
quires a similar comprehensive commitment to scientific inquiry, to basic research, 
and to the development of innovative technologies. 

Today, the cyber challenge in particular requires a similar mobilization of the 
American scientific community. Technology is at the center of our economy, our crit- 
ical infrastructure, our communication systems, and our way of life. Superior tech- 
nology will be at the heart of our efforts to prevent a cyber attack. We must leverage 
our superior research community resources to address risks, and harden our critical 
physical and electronic infrastructure. 

Under Chairman Thornberry’s leadership, this Subcommittee has held three sub- 
committee hearings and a productive half-day workshop on this issue. During these 
hearings, representatives of the industry, government and academia have confirmed 
our understanding of the gravity of the cybersecurity threat and of the importance 
of the Department of Homeland Security’s role in assessing it. The workshop held 
yesterday morning, which was cosponsored by the Congressional Research staff, not 
only accentuated the threat, but stressed the importance of the public-private part- 
nership in developing the solution. 

Today’s hearing will increase our appreciation for the research being done to ad- 
dress the cyber threat. Each of our witnesses today represents a different facet of 
the cyber research community. The Department of Homeland Security, to be effec- 
tive in its analytic and policy mission, must have a clear understanding of the best 
research being done and where it is going. In exercising oversight, the Select Com- 
mittee will want to measure the Department’s progress over time in coordinating 
government-wide cyber programs, in advancing research and development efforts to 
reduce cyber vulnerabilities, in improving our capabilities to respond to attacks, and 
in accelerating our efforts to promote computer security awareness training across 
the country. 

I look forward to hearing from our witnesses about research priorities, and about 
ways that the Department of Homeland Security can support your efforts. Mr. 
Chairman, thank you again for your personal commitment and for the exemplary 
performance of your subcommittee on this issue. 
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THE PREPARED STATEMENT OF THE HONORABLE SHEILA JACKSON-LEE, 
A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS 

Mr. Chairman and Mr. Ranking Member, I thank you for convening this hearing 
today so that we can take another step toward securing our homeland. Today’s hear- 
ing, “Cybersecurity: Getting It Right,” gives the Members of this Subcommittee an- 
other opportunity to explore the difficult and ever-changing technology sector, and 
to hear more invaluable testimony on protecting our information infrastructure. 

A common question in our cybersecurity efforts is the issue of information shar- 
ing. The technology industry is highly competitive and also highly lucrative. Tech- 
nology companies that develop innovative ideas can earn millions, if not billions, of 
dollars. Therefore, there is a substantial interest on the part of the corporation to 
keep the innovation for themselves and reap all of the financial benefits. In the gen- 
eral market for software and hardware development, research and development se- 
crecy is an expected part of our capitalist economy. In the national cybersecurity 
arena, however, failure to share information may result in our information infra- 
structure being more vulnerable to cyber attacks. It is imperative to national secu- 
rity that the technology sector shares the information that will protect our informa- 
tion infrastructure. It is equally imperative that the Members of Congress pass leg- 
islation that promotes information sharing while protecting the intellectual property 
of our technology companies. 

In order for innovations to be shared the innovations must be developed. The re- 
search and development aspect of national cybersecurity must be fostered to protect 
our homeland. As the capabilities of the Internet and the remainder of our informa- 
tion infrastructure expands, so too do the capabilities of cyber-terrorists. The com- 
plexity of recent computer viruses and the speed with which they spread across our 
information infrastructure illustrates the formidable task our country faces com- 
bating cyber-terrorists. Developing the technologies to counter cyber attacks will be 
an on-going endeavor. Each advancement in computer technology will bring ad- 
vancements in the capabilities of cyber-terrorists. New technological defense meth- 
ods will be required through research and development in order to adequately pro- 
tect our information infrastructure. 

Research and development will also be needed to detect and apprehend those re- 
sponsible for cyber-terrorist attacks. The nature of the information infrastructure al- 
lows criminal actors to operate anonymously. Often the perpetrators of cyber-crimes 
are not located and are left free to attack our information infrastructure again in 
the future. If America’s cyberspace is to be protected we must be able to locate the 
perpetrators of cyber-attacks and also develop intelligence methods to detect attacks 
before they occur. Our national research and development efforts will also be critical 
to stopping cyber-crimes before they occur. 

Mr. Chairman and Mr. Speaker, the task before this Subcommittee is great. 
Achieving full cybersecurity for our Nation’s critical information infrastructure is 
important for the full operation of our education system, federal, state, and local 
governments, our financial system, our travel system and every other segment of 
our society. The Internet has become an integral portion of the daily operation of 
all of these segments. One successful cyber-attack could have devastating con- 
sequences. I look forward to hearing the testimony of our witnesses today, and I 
thank them for their attendance. I hope that their wisdom will bring us closer to 
securing our information infrastructure. 

Mr. Thornberry. The Chair thanks the gentleman, and would 
also join in thanking the Congressional Research Service, Eric 
Ficsher and his staff, and the folks who participated in yesterday’s 
workshop. It really was an outstanding group. 

Now, again let me thank each of our witnesses for taking time 
to be with us today. We will first hear from Dr. Shankar Sastry, 
Chairman of the Department of Electrical Engineering and Com- 
puter Science from the University of California at Berkley. Thank 
you for being with us today, sir. And you are recognized for 5 min- 
utes. 
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STATEMENT OF S. SHANKAR SASRY, PH.D., CHAIRMAN, DE- 
PARTMENT OF ELECTRIC ENGINEERING AND COMPUTER 

SYSTEMS, UNIVERSITY OF CALIFORNIA, BERKELEY 

Mr. Sastry. Thank you very much, honorable Chairman Thorn- 
berry, honorable Ranking Member Lofgren, and distinguished 
members of the Subcommittee on Cybersecurity, Science, and Re- 
search. Thank you very much for the opportunity to testify today. 

I would like to testify about areas for investment in 
cybersecurity, science, research and development, some priority 
areas for funding, and the role of university, industry, the venture 
community, and government partnerships in bringing secure and 
trusted systems to the marketplace. 

By way of background, I should say that I served as Director of 
the Information Technology Office at DARPA from September 1999 
to February 2001. My areas of research are in embedded and au- 
tonomous software, complex infrastructure systems, and secure 
network embedded systems. 

Let me start with my perceptions of the current funding of 
cybersecurity research. The most sustained funding for 
cybersecurity research to date has been through the Department of 
Defense. In DOD, the largest pool for funding for research has been 
through DARPA, though there have been some important research 
initiatives also through the National Security Agency. 

The programs have been in three generations. The first genera- 
tion is to prevent intrusions, and there have been a number of suc- 
cesses that have come out of this, including several sets of cryp- 
tographic tools, access control, and multiple levels of security. 

In the second generation, if intrusions happen, how does one de- 
tect them and how does one limit damage? Examples of successful 
products that came out of this: firewalls, boundary controllers, in- 
trusion detection systems, virtual private networks, and a public 
key infrastructure. 

In the third generation, which we are now in the midst of, the 
goal is to operate through attacks. And these goals are intrusion 
tolerance and graceful degradation. In my opinion, this is the space 
that we need to be in to be able to have critical infrastructure sys- 
tems that can weather attacks. 

From its high watermark of close to $100 million of research 
funding per year for information assurance and survivability re- 
search, lA&S, in 2000 the funding for unclassified lA&S research 
has decreased significantly in the following years. While it is un- 
derstandable that there are important other priorities in DOD for 
more focused efforts on command and control networks and other 
sensitive DOD networks, I feel that, given the scope and magnitude 
of research that remains to be done, it is critical that the burden 
of supporting cybersecurity research be picked up by other agen- 
cies. 

Of course, I also feel that, given the newest generations of 
manned and unmanned and autonomous systems in the DOD such 
as the UCAV and in Future Combat Systems and so on, it would 
also be in the interest of DOD not to scale back its unclassified pro- 
grams a great deal. 

The National Science Foundation. I feel the NSF has been 
proactive in taking steps to boost funding for cybersecurity re- 
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search by setting up new programs in trusted computing, and in 
secure network embedded systems, which is under planning, net- 
working research, and more recently test beds for cybersecurity. 

Department of Homeland Security. It is our understanding that 
the Science and Technology Directorate is planning an initiative in 
cybersecurity and is organizing program management structures 
for cybersecurity research centers. The Congress and the adminis- 
tration should be lauded for having taken the visionary step of hav- 
ing formed the Homeland Security Advanced Research Projects 
Agency, HSARPA, along the DARPA model. In addition, I feel that 
the idea of having HSARPA work with procurement and oper- 
ational branches of the DHS to evangelize the adoption of new 
cyber secure software and systems is a very attractive one. If such 
a model was successful, it would be useful in reforming possible 
changes in procurement and operational concept transformation in 
DOD as well. The community has felt a great deal of enthusiasm 
about this potential outcome. The outcome we feel would be best 
achieved if the research centralized in the S&T Directorate at 
HSARPA interacted directly with the procurement and operational 
needs of the lAIP, Border and Transportation Security, and the 
Emergency Preparedness Directorates. 

However, a necessary condition for an outcome is an adequate 
outlay of funds for research and development coupled with acquisi- 
tions. In my opinion, the level of investment needs to be some- 
where in the range of 100 to $200 million per year, and we base 
this number on a road map for research and cybersecurity which 
we have developed and is present in the full testimony. In the in- 
terest of time, I will just talk a little bit about a few highlights of 
the funding gaps in research priorities for cybersecurity. 

The technology needs may be classed into the following cat- 
egories: unsolved difficult research problems and information as- 
surance and survivability — and a number of these are taken from 
the so-called Infotech Research Council hard problems list, and 
they are listed in my testimony. 

The second one is about technologies for strong security with 
strong privacy. The technology needs for strong privacy are com- 
pletely compatible with the technolo^ needs for strong security. So 
some examples are selective revelation, where the goal is to mini- 
mize revelation of personal data while facilitating analysis through 
the approach of partial incremental revelation of data. Others in- 
clude strong audit. And also, rule processing technologies for check- 
ing compliance with privacy rules. 

In addition, I feel that the emerging infrastructure of the future 
will be based on wired and wireless network devices ubiquitously 
embedded in the environment to provide so-called sensor webs of 
information for monitoring and controlling infrastructure. We need 
to take steps today to start securing them. 

And, finally, the last set of problems comes in under the title of 
validated modeling, simulation and visualization of critical infra- 
structures and their interdependencies. 

Mr. Chairman, am I out of time? Or — . 

Mr. Thornberry. The gentleman’s 5 minutes has expired. The 
Chair is somewhat lenient with time, however. The gentleman may 
proceed and conclude his remarks. 
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Mr. Sastry. Thank you very much, Mr. Chairman. Perhaps in 
the interest of time, let me sort of say — to go to the last part of 
my testimony and talk a little bit about a model for public-private 
partnerships for rapid technology transfer in cybersecurity. 

I think there is clearly a need for cybersecurity research and de- 
velopment, but even more immediate and pressing is the need for 
transitioning this. The most common complaints that one hears 
from vendors and service providers are as follows: No one pays for 
security. Will the Federal Government play the role of market 
maker in the early adoption of security products? Is there sufficient 
demand to stimulate new companies around new ideas in 
cybersecurity? Who will provide road maps to help the investment 
by established companies and the venture community in 
cybersecurity products? 

So a fundamental organizational problem that exists today is the 
lack of mechanisms for filling in the gap between the end of suc- 
cessful Federal projects. And I feel that a lot of the Federal invest- 
ment to date has indeed been a success, but there is a problem in 
transitioning from the end of a successful Federal project to the 
venture community and industry in the form of products. 

Research prototypes need to be hardened, tested on large-scale 
test beds, informed and customized by the customer base before we 
get these into the marketplace. And I feel that the role of public- 
private partnerships and perhaps the nonprofit sector is in filling 
this gap between the end of a successful research program and in- 
dustry and venture update. 

And let me just conclude by saying that there are exemplars of 
successful such partnerships which have been formed by the legis- 
lation of this Congress, and so those are in the semiconductor in- 
dustry. In the semiconductor industry, both the SIA, the Semicon- 
ductor Industry Association, and the SRC, the Semiconductor Re- 
search Consortium, have facilitated both the funding of rapidly 
transitioned research to the semiconductor industry and led the 
continual development of road maps for the electronics industry. 
DOD funding, both from OSD and DARPA from the earliest days 
of this research, has been instrumental in maintaining a strategic 
national component both for competitiveness as well as for main- 
taining U.S. superiority in a vital sector. 

My own sense is that nonprofits are the same ilk as the SIA and 
SRC. With the same kind of partnership, DHS and DOD could play 
an important role in developing a mechanism for rapid transition 
of focused research and road mapping for industry in the invest- 
ment community. 

Thank you very much, Mr. Chairman, for your indulgence. 
Thank you very much for the opportunity to testify. We are really 
delighted as a community to see your attention to all of these im- 
portant issues. Thank you very much. 

[The statement of Dr. Sastry follows:] 

PREPARED STATEMENT OF DR. SHANKAR SASTRY 

Honorable Chairman Thornberry, Honorable Ranking Member Lofgren, and mem- 
bers of the subcommittee on Cybersecurity, Science, and Research, thank you for the 
opportunity to testify today, regarding areas for investment in cybersecurity re- 
search and development, priority areas for funding, and the role of university-indus- 
try-venture-government partnerships in bringing secure and trusted systems to the 
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market place. By way of background, I should say that I am currently the Chairman 
of Electrical Engineering and Computer Sciences at the University of California, 
Berkeley where I have been a professor for over 20 years. I have also served on the 
faculties of the Massachusetts Institute of Technology (1980-1982), where I began 
my academic career as an Assistant Professor, and Harvard University where I was 
a Gordon Me Kay chaired professor in 1993-1994. From November 1999 to March 
2001, I served as the Director of the Information Technology Office (ITO) of the De- 
fense Advanced Research Projects Agency (DARPA) in the DoD. The responsibilities 
of this office included planning and managing the investment in all areas of infor- 
mation technology, including the information assurance and survivability portfolio 
of programs. My areas of research are embedded and autonomous systems and soft- 
ware, complex infrastructure systems, secure networked embedded systems, and 
high confidence systems and software. I have recently led the organization of a col- 
laborative multi-university cybersecurity research consortium named, and a testbed 
for network defense called the national cyber Defense Technology Experimental Re- 
search network (DETER). 

To answer the questions asked by you, I will divide my testimony into the following 
areas: 

1. Current Funding of Cybersecurity Research, 

2. Research Gaps and Funding Priorities for Cyhersecurity Research, 

3. A collaborative university research program in Ubiquitous Secure Tech- 
nologies led by Berkeley partnered with Stanford, Cornell, Vanderbilt, Carnegie 
Mellon, and San Jose State Universities, and Smith College, 

4. Testbeds for Cybersecurity,. 

5. A model for public-private partnerships for rapid technology transfer in 
Cybersecurity 

1 Current Funding of Cybersecurity Research 

There has been Federal funding of Cybersecurity research thus far primarily by the 
Department of Defense and the National Science Foundation, though there has also 
been some research funded by NIST, Department of Energy and NASA as well. The 
community has followed with interest the testimony given by the DARPA Director, 
the NSF Director and Undersecretary for Science and Technology at DHS to the 
House Science Committee. The community feels grateful to the House Science Com- 
mittee, its staff and its Chairman, the Honorable Mr. Bohlert, as well as this Sub- 
committee on Cybersecurity, Science and Research and Development, its Chairman, 
the honorable Mr. Thornberry and ranking member the Honorable Ms. Lofgren for 
their close attention to the needs of cybersecurity research. I will limit my own re- 
marks to the perceptions of the community and also my own experience with help- 
ing to manage the cybersecurity portfolio at DARPA. 

Department of Defense. The most sustained funding for cybersecurity research to 
date has heen through DoD. In DoD, the largest pool of funding for research has 
been through DARPA, though there have been important research initiatives that 
have been managed by the National Security Agency. Some very important Univer- 
sity Research Initiatives in Critical Infrastructure Protection (CIP-URI) were fund- 
ed through DDR&E as five-year programs primarily in 2001. Modest 6.1 core pro- 
grams in cybersecurity research at AFOSR, ARO and ONR also exist. The Informa- 
tion Assurance and Survivability (lA&S) programs at DARPA are the largest and 
most successful Federal investment to date. This suite of programs has gone 
through three generations listed below with some exemplars of successful outcomes: 

1. 1st Generation (Prevent Intrusions): Trusted Computing Base, Access Con- 
trol, Cryptographic Tools, Multiple Levels of Security 

2. 2nd Generation (Detect Intrusions, Limit Damage): Firewalls, Boundary Con- 
trollers, Intrusion Detection Systems, Virtual Private Networks, Public Key In- 
frastructure 

3. 3rd Generation (Operate Through Attacks) Goals are Intrusion Tolerance, 
Graceful Degradation, Big Board View of Attacks, Security Tradeoffs and 
Metrics, and hardening of the core infrastructure. 

The first generation was aimed at preventing intrusions as much as possible, the 
second generation with detecting intrusions when they occur and limiting the 
amount of damage that they cause. The third generation of programs, which is most 
critical to critical infrastructure protection, consists of developing the ability to oper- 
ate through attacks without failing catastrophically. A very large number of existing 
security solutions were developed by companies either as spin-offs of DARPA re- 
search or as an integral part of DARPA research programs in Generations 1 and 
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2. We are currently in the 3rd generation of programs and a research and develop- 
ment base has been energized to address what remain as difficult technical prob- 
lems in lA&S. From its high watermark of close to $ lOOM of funding for lA&S in 
2000, the funding for unclassified lA&S research at DARPA has decreased signifi- 
cantly in following years. The DARPA investment has also had the extremely desir- 
able effect of involving the Service Laboratories (such as AFRL and Navy SPAWAR), 
and the services operational commands in bringing their requirements to the com- 
munity. While it is understandable that there are other important priorities in the 
DoD for more focused efforts in lA&S for command and control and other sensitive 
DoD networks, given the scope and magnitude of research that remains to be done 
in cybersecurity, it is critical that the burden of supporting cybersecurity research 
be picked up by other agencies. In addition, given the important strategic nature 
of lA&S research for new and emerging DoD systems, including the newest genera- 
tions of unmanned and autonomous systems (such as the UCAV and in Future Com- 
bat Systems), it would not be in the interests of DoD to scale back its unclassified 
programs a great deal. 

National Science Foundation NSF has been proactive in taking steps to boost fund- 
ing for cybersecurity research by setting up new programs in Trusted Computing 
and in Secure Network Embedded Systems (under planning), networking research, 
and testbeds for cybersecurity. These investments, primarily in the Directorate of 
Computer and Information Science and Engineering (CISE) have been timely and 
strategic. Nonetheless it is the perception of the community that the level of funding 
for cybersecurity and Critical Infrastructure Protection could be greater. A point 
about the synergy between funding between DARPA and NSE is in order here. From 
the early days of networking when NSF picked up the ARPA net and helped fund 
it while it grew into the modern Internet, and early DARPA funding on high per- 
formance computing was sustained by NSF funding, there has been a rich legacy 
of cooperation in funding information technology research between the two agencies 
on Fairfax Avenue in Arlington, Virginia. It would be extremely desirable to have 
this synergistic relation continue in tbe area of cybersecurity. 

Department of Homeland Security. It is our understanding that the Science and 
Technology Directorate of DHS is planning its initiative in cybersecurity and is or- 
ganizing program management structures for cybersecurity research centers. The 
Congress and the administration should be lauded for having taken the visionary 
step of having formed the Homeland Security Research Projects Agency along the 
DARPA model. In addition, the idea of having HSARPA work along with procure- 
ment and operational branches of the DHS to evangelize the adoption of new 
cybersecure software and systems is a very attractive one. Such a model, if success- 
ful, would be very useful in informing possible changes in procurement and oper- 
ational concept transformation at the DoD as well. The community has felt a great 
deal of enthusiasm about this potential outcome. The outcome would be best 
achieved if research centralized in the Science and Technology Directorate, at 
HSARPA, interacted directly with the procurement and the operational needs of 
each of the Information Analysis and Infrastructure Protection (lAIP), Border and 
Transportation Security, and the Emergency Preparedness Directorates. There are 
some synergies to be gained for example by engaging with the research needs of the 
National Communication Systems, with road-mapping activities for cybersecurity, or 
by using secure sensor webs for border patrol and monitoring programs 

However, a necessary condition for such an outcome is an adequate outlay of funds 
for basic research and development coupled with acquisitions. In my opinion the 
level of investment needs to be somewhere in the range of $100-200 M per year. 
I base this number on a roadmap for research in cybersecurity, which we have de- 
veloped (details are included in the next section of this testimony). I feel that the 
DARPA model is an especially appropriate model for funding research and develop- 
ment in cybersecurity. Once again HSARPA may wish to involve groups in the other 
directorates the way DARPA involves service laboratories and commands as 
“agents” for contracting the work and thereby helping the transition of research into 
products. Thus, one could view customers in the LAIP Directorate helping program 
managers in HSARPA shape the programs for their needs. While HSARPA will need 
to have programs that have short term and intermediate term payoff, one can vis- 
ualize the role of the NSF in helping HSARPA as an executive agent in its early 
years while it is being fully configured. In the steady state a relationship between 
HSARPA and NSF along the lines of the DARPA-NSF model would be highly desir- 
able, with NSF providing longer term sustained funding. 

Other Agency Funding for Cybersecurity. Since the needs of different mission agen- 
cies in cybersecurity are somewhat different it would be important to have funding 
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from NASA, DoE, and other mission agencies for their own needs. Additionally the 
role of the National Institute of Standards and Technology (NIST) could be an im- 
portant one in managing testbeds, whetting and developing cybersecurity standards 
and best practices. NIST has also been an important executive agent for managing 
DoD programs and could continue to do so for DHS. 


2 Funding Gaps and Research Priorities for Cybersecurity 

The technology recommendations for suggested areas of funding given here 
were developed by a group of researchers, industry participants and the venture 
community over the last two years in a series of workshops, meeting and stud- 
ies: 

1. 25th June 2002, Meeting with a large sample of participants from Venture 
firms, DoD; OSD, DARPA, ONR, NSA, the President’s Critical Infrastructure 
Protection Board, large industry participants such as IBM, HP, Oracle, 
Symantec, Microsoft, Intel, non profits such as SRI, ISP, hosted by me in Palo 
Alto 

2. 18th September 2002, Meeting with industry leaders and Mr. Richard Clarke 
Head of the President’s Cyber Security Protection Board on the details of the 
Presidential Cybersecurity Plan held at Palo Alto. 

3. 19-20 September 2002. Sztipanovits (Vanderbilt), Stankovic (Virginia), and 
I ran the NSF/OSTP workshop on New Technologies for Critical Infrastructure 
Protection and Cybersecurity in Leesburg, Virginia with technology rec- 
ommendations for the White House Office of Science Technology and Policy. 
OSTP report of this workshop will be released shortly. 

4. October 7-8 Workshop on Testbeds for Security, Squires (Chief Scientist of 
HP) led a meeting on networking research testbeds. 

5. August 2001, NSF Workshop on New Directions in Security, Doug Tygar, 
Berkeley 

6. August 2002, DARPA Information Sciences and Technology study on Security 
with Privacy, Doug Tygar. 

While the whole list of participants is too long to list, I would especially like to ac- 
knowledge the help of former colleagues at DARPA, 'Terry Benzel, Doug Tygar, and 
Ruzena Bajcsy of the University of California Berkeley, Janos Sztipanovits of Van- 
derbilt University, Jack Stankovic of the University of Virginia, Teresa Lunt of 
PARC (formerly Xerox PARC), Pat Lincoln and Victoria Stavridou of SRI, Patrick 
Scaglia and Steven Squires of HP, Robert Morris of IBM, David Tennenhouse of 
Intel, Jerry Fiedler of Windriver Systems for their help in developing these rec- 
ommendations. 

Computer trustworthiness continues to increase in importance as a pressing sci- 
entific, economic, and social problem. The last decade has seen a rapid increase in 
computer security attacks at all levels, as more individuals connect to common net- 
works and as motivations and means to conduct sophisticated attacks increase. In 
today’s environment there is heightened awareness of the threat of well-funded pro- 
fessional cyber hackers and the potential for nation-state sponsored cyber warfare. 
Cyber attacks are increasingly motivated by the financial gain and global politics. 
A parallel and accelerating trend of the last decade has been the rapidly growing 
integration role of computing and communication in critical infrastructure systems, 
such as financial, energy distribution, telecommunication and transportation, which 
now have complex interdependencies rooted in information technologies. These over- 
lapping and interacting trends force us to recognize that trustworthiness of our com- 
puter systems is not an IT issue anymore; it has a direct and immediate impact on 
our critical infrastructure. Security is often a collective enterprise, with complicated 
interdependencies and composition issues among a variety of participants. This 
poses a challenge for traditional competitive economic models. Clearly there is an 
acute need for developing much deeper understanding of and scientific foundation 
for analyzing the interaction between cyber security, critical infrastructure systems 
and economic policy. 

The fundamentals of reliable infrastructure have not been adequately worked out 
for complex networks of highly interacting subsystems, such as the power grid and 
the airspace-aircraft environment. These are complex, often dynamically reconfig- 
ured, networks. The primary challenge for future generations of these systems is to 
provide increasingly higher efficiency, while assuring joint physical and logical con- 
tainment of adverse effects. Increasingly, autonomous but cooperative action is de- 
manded of constituent elements. Examples include the technology needed to support 
aircraft in high-capacity airspace, enabling the execution of parallel landing pat- 
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terns under terminal area control. A deregulated power grid draws new market par- 
ticipants. These new players may produce highly variable efficiency, potentially ad- 
verse environmental effects, and they may pose hazards to system-wide stability. 
This trend towards autonomous, cooperative action will continue, with the demands 
of current and next-generation systems for open, interoperating, and cooperating 
systems. The achievement of a satisfactory level of interoperable functionality is 
both enabled by, and dependent upon, advances in information and control infra- 
structure for coordinated operation. Furthermore, entirely new capabilities, such as 
networks of devices for pervasive sensing and actuation are becoming viable, and 
the control and communication technologies for their effective use must be fully de- 
veloped and integrated into distributed infrastructure systems. 

Although reference frequently is made to the next generation of technologies as “in- 
telligent agent” systems or self-healing or self-reconfiguring or autonomic systems, 
this terminology conceals a complex of carefully integrated systems and software 
concerns. There is no panacea; services must be carefully engineered from the 
ground up in order to safely support a facade of highly autonomous action. Advances 
in software and information technology have improved the potential for a better sub- 
strate for future, more reliable infrastructures. The technology needs may be classed 
into the following categories: 

1. Unsolved Difficult Research Problems in Information Assurance and Sur- 
vivability. The areas of research highlighted here are: 

a. Intrusion and Misuse Detection: methods need to be automatic, pre- 
dictive, have a low false alarm rate, and possibly identify the adversary. 

b. Intrusion and Misuse Response: methods should provide a shared situa- 
tional awareness, automatic attack assessment, a dynamic reconfiguration 
of the system and possibly an automated counter attack. 

c. Security of foreign and malicious code: desired attributes for systems that 
protect against malicious mobile code include confinement of access and ca- 
pability and encapsulation of the code. 

d. Controlled sharing of information: the ability to dynamically authorize 
the sharing of information and automated data tagging. 

e. Distributed Denial of Service (DDoS) and Worm Defense: solutions are 
needed for modeling, measurement and analysis of attacks, detection of the 
attacks, attribution, dissipation of the attack, and possible retribution. 

f. Secure Wireless Communications 

g. New and Emerging Challenges 

i. Peer to peer computing 

ii. Security in ubiquitous and nomadic computers 

iii. Human factors and ergonomics in security 

iv. Networks surveillance and hygiene 

V. Insider threat detection, monitoring and response 

2. Technologies for Strong Security with Strong Privacy 

a. Selective Revelation: the goal here is to minimize revelation of personal data 
while facilitating analysis through the approach of partial, incremental revela- 
tion of data. 

b. Strong Audit: the goal here is to protect abuse by watching the watchers: ev- 
eryone is subject to audit, there is cross-organizational audit, and usage records 
are tamper proof. Possible new technologies include encrypted searches and 
crypto-protocols. 

c. Rule processing technologies: there is need for a formal language for express- 
ing privacy rules and tools for automated checking of compliance, a privacy 
toolbar for helping users. A related technology is the one needed for digital 
rights management 

3. Secure Network Embedded Systems. The emerging infrastructure of the fu- 
ture will be based on wired and wireless networked devices ubiquitously embedded 
in the environment to provide “sensor-webs” of information for monitoring and con- 
trolling infrastructure networks. The embedded software, which will be present in 
these complex systems, needs to have the following attributes: 

a. Automated Design, Verification and Correctness by Construction. A large 
number of infrastructures suffer from being difficult to configure correctly and 
the resulting glitches are frequently as serious as cyber attacks. In addition 
they need to be fault tolerant: such systems are referred to as High Confidence 
Systems. 

b. Layered Security for Embedded Systems: the defenses need to be in depth 
to protect from attacks from the physical layer up through the applications 
layer: 
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i. Physical Layer: protection from attacks like jamming and tampering 

ii. Link Layer: protection from unfairness and over frequent collisions of 
packets 

iii. Networks and Routing Layer: protects from attacks due to greed, hom- 
ing, misdirection and black holes. 

iv. Transport Layer protection from attacks such as flooding and 
desynchronization. 

4. Validated Modeling, Simulation and Visualization of Critical Infrastruc- 
tures and their Interdependencies 

a. Tools for the assessment of the level of risk 

b. New modeling and simulation tools for complex systems 

c. Development of simulation testbeds for teaming exercises, response prepara- 
tion and assessment. 


3 A Collaborative University Research Program in 
Ubiquitous Secure Technology 

Here I describe a sample collaborative university research program that is focused 
at research problems in many of the areas described above. It is important to note 
that activities of this scale need to be engaged in by the scientific community in 
groups rather than as individual institutions. At Berkeley we have found it impor- 
tant to build such partnerships and consortia for research and development. We 
have put together a team of some of the strongest research universities led by 
Berkeley and including Stanford University, Vanderbilt University, Cornell Univer- 
sity, Carnegie Mellon University, along with San Jose State University, Smith Col- 
lege, Fiske University to develop a Team for Research in Ubiquitous Secure Tech- 
nology (TRUST) to radically transform the ability of organizations (software ven- 
dors, operators, local and federal agencies) to design, build, and operate trustworthy 
information systems for our critical infrastructure. TRUST will bring together a re- 
search team with proven track record in relevant areas of computer security, sys- 
tems modeling and analysis, software technology, economics, and social sciences. 
The research team will be advised and supported by vendors of information tech- 
nology and critical infrastructure (utility, telecommunication, finance, and transpor- 
tation) protection providers and stakeholders. 


3.1 Technical Research Program 

Our multidisciplinary approach allows solutions to emerge from an integrated of 
view of computer security; software technology, analysis of complex interacting sys- 
tems, and economic policy in the following areas: 

Composition and computer security — Computer security attacks today occur on 
a minute-by-minute basis. Organizations producing individual components, such as 
routers or central office switches, have increasingly devoted energy to protecting 
those components against attack. However, protection of individual components does 
not always result in protection of the entire systems: different machines and dif- 
ferent systems running on a single network often have complex interdependencies — 
and a malicious attacker can exploit those interdependencies for example in denial 
of service attacks, inter-machine authentication failures, and routing disruptions. 
Attackers can attack systems where different software programs must interact on 
a single operating system (examples include e-mail with attachments leading to e- 
mail worms, buffer-overflow problems caused by unexpected use of software function 
libraries, and windowing systems displaying bogus, malicious systems messages.) 
Modularization can increase the problem: when common IT components are inte- 
grated with specialized applications and embedded systems, deep knowledge of the 
underlying computational model is needed to avoid vulnerability. TRUST will bring 
together an integrated scientific approach to composition and computer security. 
Privacy — As a large amount of commercial and communication activity has moved 
to the Internet and World Wide Web, privacy concerns have increased both for indi- 
vidual users and organizations. Users perceive they have little control over informa- 
tion, and often those perceptions are correct — organizations are unable to accurately 
describe policy procedures and privacy-information crimes such as identity theft 
have increased sharply. Even disclosure of apparently innocuous information, such 
as an e-mail address, leads to unsavory activities, such as spam, which in turn can 
grow to a magnitude that can cause systemic problems. Organizations also have a 
need for privacy — not only to protect their customers, but also in cross-organiza- 
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tional exchanges including auctions and communications. Privacy is a challenging 
problem because when information is shared (laterally, between organization, or 
vertically, between different subsystems) each of the individual components involved 
in the sharing, the mechanism for sharing, and the consequences of the sharing, all 
present opportunities for invading privacy. Issues related to privacy emerge as a re- 
sult of interaction between technology and economic policy, such as in online bidding 
on energy markets or dynamic allocation of the frequency spectrum. To tackle pri- 
vacy, TRUST will develop solutions to the complex tradeoff between technology, eco- 
nomic policy and security. This will require a new look at the fundamental 
underpinnings of information management, storage, and retrieval. 

Critical infrastructure protection — Critical infrastructure systems are large net- 
works that move energy, information and material. Information technology is used 
to monitor, control and manage these systems by means of vast networks of com- 
puting equipment. Faults caused by natural disasters or malicious attacks can cause 
these networks to completely fail, leading to widespread damage. Critical infrastruc- 
ture protection requires making systems that are highly robust and available in the 
presence of hostile attacks. TRUST will approach computer security from a holistic 
systems view, considering a union of concerns including physical design, perform- 
ance, power consumption, reliability and others. For example, we don’t just consider 
secure and highly available communication between sensor devices and SCADA (Su- 
pervisory Control And Data Acquisition) centers, TRUST will consider the potential 
impact of feasible security attacks on the power distribution network, and the im- 
pact of signal encryption on feedback control loops. Anecdotal evidence and the find- 
ings of more systematic red team activities such as the Joint Chiefs’ Eligible Re- 
ceiver program, strongly suggest that the United States is highly vulnerable to at- 
tacks on its critical infrastructure — including key utilities (gas, water, and energy), 
communications services, finance, transportation, medical coordination, government 
services, and emergency services. Even in a single organization, such as a national 
telecom service provider, critical infrastructure protection is difficult, because these 
systems are highly complex and involve so many components that even their design- 
ers cannot understand all the interactions. The interaction of different critical infra- 
structure systems, and their interaction with public (critical or non-critical) systems, 
creates complex dependencies and control paths. Today, we have no good way of de- 
tecting these interdependencies, although hackers have proven themselves highly 
capable of finding attack opportunities and exploiting subtle vulnerabilities. 

TRUST will take a systems view which raises a broad set of trust questions: they 
range from protecting individual privacy to protecting large complex interacting crit- 
ical infrastructure, from embedded systems to networks, and they have a strong 
focus on security problems arising from composition. Not only is a large effort nec- 
essary to take the broad view — and to anchor this view in the context of large-scale 
operational environments - but this work requires strength from a wide variety of 
disciplines both inside computer science (cryptography, programming languages, dis- 
tributed systems, networking, human-computer interfaces, logic and model checking, 
configuration, software engineering, etc.) and outside computer science (economics, 
policy, law, statistics). 

3.2 Economics, Public Policy, Societal Challenges 

Solutions to today’s problems are an essential requirement to fulfilling the vision 
of ubiquitous computing. Many of today’s security vulnerabilities in networked em- 
bedded systems and SCADA are very specialized and hence visible to only a few. 
However, as society increasingly employs the use of software agents to control and 
organize multiple aspects of day-to-day life these security vulnerabilities will become 
impediments to their widespread adoption. A vision for the future of information 
technology in society, implies that the presence of ubiquitous computing will bring 
with it access to interfaces that will become part of every day interchange for a wide 
class of citizens. 

Investigations need to be directed so as to lend maximum benefit to social questions 
such as those in the area of economics and incentives. These are particularly press- 
ing as questions of liability and insurance are moved up in the nations business and 
legislative agenda. Issues of liability have become an important topic given the cost 
of security incidents. Economic and legal analysis suggests that a due care standard 
provides appropriate incentives, but how should the standard be set in practice? 
Without a clear understanding of sufficient standards or best practices, insurance 
companies do not have a clear basis on which to offer insurance policies covering 
security incidents. The interaction between liability, insurance, and care has been 
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examined extensively in the law and economics literature. However, new questions 
that arise in the context of information security as "accidents" are often deliberate 
attacks. Hence an analysis of the incentive of attackers must be better understood 
and modeled. In addition to these incentive problems, there are also a number of 
purely economic issues that need to be better understood. How can one quantify the 
benefits and costs from various security policies? How do public and private security 
policies interact? What are the nature and size of “transactions costs” associated 
with security? TRUST will address these questions in the course of our effort. It is 
anticipated that the research results will provide a solid basis for the establishment 
of policies, procedures and eventually case law for industry and government in man- 
aging the risk of computer security incidents. 


3.3 Education and Outreach 

American prosperity in the new millennium and increasing national security con- 
cerns make it important to increase the number of students who will join the na- 
tion’s technical enterprise as researchers. This is crucial in the cyber security space 
as there is currently a severe shortage of trained scientists (and almost no women 
and minorities) in the information security field. Additional need arises from our 
concerns about the “weakest link” of security. If even one user makes a serious 
error, it can endanger all the systems connected to his or her machines. We have 
a need to raise the level of security awareness of all people who use computers and 
depend on their results — namely, all citizens. TRUST brings a strong focus on edu- 
cational outreach activities through its members many activities. Educational activi- 
ties will be integrated with TRUST research, through graduate programs, summer 
programs and directed research projects with under represented educational institu- 
tions. 


4 Testbed Research 

As discussed earlier, over the past ten years, there has been an increasing invest- 
ment in research aimed at developing cyber security technologies, by government 
agencies (NSF, DARPA, DoD) and by industry. However, the Nation still lacks 
large-scale deployment of security technology sufficient to protect our vital infra- 
structure. One important reason is the lack of an experimental infrastructure for 
developing and testing next-generation cyber security technology. Neither existing 
research network infrastructures (Abilene, vBNS) nor the operational Internet meet 
this need, due to the inherent risks of testing malicious behavior in operational net- 
works. New security technologies have been tested and validated only in small- to 
medium-scale private research laboratories, which are not representative of large 
operational networks or of the portion of the Internet that might be involved in a 
security attack. 

To fill this critical gap, we will build an experimental infrastructure network to sup- 
port the development and demonstration of next-generation information security 
technologies for cyber defense. This cyber Defense Technology Experimental Re- 
search Network (DETER Network) funded jointly by the National Science Founda- 
tion under its Networking Research Program in Computer and Information Sciences 
and Engineering (CISE) directorate and the DHS Science and Technology Office will 
provide the necessary infrastructure networks, tools, methodologies and supporting 
process — to support national-scale experimentation on emerging security research 
and advanced development technologies. . 

Once again, we at Berkeley have led in putting together a broad based coalition of 
partners including the University of California Davis, University of Southern Cali- 
fornia-Information Systems Institute, Network Associates Laboratories, SRI, Menlo 
Park, the Pennsylvania State University, Purdue University, Princeton University, 
University of Utah, and industrial partners Juniper Networks, CISCO, Intel, IBM, 
Microsoft, and HP. The DETER project will create, operate, and support a 
researcher- and vendor-neutral experimental infrastructure that is open to a wide 
community of users. Furthermore, the DETER project will apply scientific bench- 
marks and measurements to both the creation of the experimental infrastructure 
itself and to validation of the experimental results. Two important defenses that we 
will develop on this testbed are: 

1. Distributed Denial of Service Attacks — One major objective of the DETER net- 
work is to make scientific advancements in 1) understanding the effects of sophisti- 
cated, large-scale DDoS attacks and 2) defending against them. Techniques and soft- 
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ware capable of disabling large portions of the Internet for hours or days could be 
developed relatively easily today by sophisticated hackers or nation states. However, 
because such an attack has never been observed “in the wild”, the scientific and 
operational communities’ understanding of the underlying scientific phenomenon is 
at best fragmentary and speculative. Internet infrastructure components that are 
pushed to their limits by such attacks may exhibit non-linear or unstable behaviors 
that diverge from predictions derived from models, simulations, overlay networks, 
and scaled down demonstrations. As a result, we cannot accurately predict the im- 
pact of a large-scale attack on different points in the Internet topology. We plan to 
conduct experiments to improve understanding of the scientific phenomenon of a so- 
phisticated large-scale DDoS attack, with special attention paid to the following fac- 
tors: 

• Detection — What kinds of DDoS attacks can the mechanism detect, how accu- 
rately, and under what conditions? 

• Mitigation — What kinds of DDoS attacks can the mechanism mitigate (via 
blocking or rate limiting), how effectively, at which locations in the networks, 
and under what conditions? 

• Autonomy vs. Coordination — To what extent does the mechanism’s effective- 
ness depend on deployment in multiple locations with communication and co- 
ordination across locations, and how effective can the mechanism be if such co- 
ordination is not possible? 

• Collateral Damage — To what extent does the mechanism impede benign traf- 
fic, and under what conditions, i.e., does it do more harm than good? 

2. Worm Defenses — Worms present a substantial and growing threat to the Internet 
and to large government and commercial enterprise networks. The recently released 
SQL Slammer (Sapphire) worm provided a stark illustration of the dramatic speed 
and potential impact of a simple worm, spreading to more than 75,000 hosts within 
ten minutes and causing ATM failures, airline flight cancellations, and widespread 
network outages. The DETER Network can play a crucial role in supporting study 
of the behavior of these worms and evaluation of new worm defense technologies. 
Worm behavior is currently only poorly understood. Through testbed experimen- 
tation, researchers can study different models of worm propagation (e.g., random 
scanning, target-list, coordinated, hybrid) and their effects on propagation rates in 
a realistic network environment. They can further study effects of the network con- 
gestion caused by worm propagation through a large network, determining how such 
congestion affects legitimate applications and the worm itself as infection spreads. 


5 A Model for Public-Private Partnerships for Rapid 
Technology Transfer in Cybersecurity 

The issues in transitioning cybersecurity research and development are immediate 
and pressing. There has arguably been a market failure in bringing cybersecurity 
technologies to the market. The most common complaint that one hears from ven- 
dors and service providers run something like: “No one will pay for security.” or “Se- 
curity is every one’s second most favorite priority”, or “Security products suffer from 
the paradox of the common good”. “Will the Eederal government play the role of 
market maker in early adoption of secure products?” “Is there sufficient demand to 
stimulate new companies around new ideas in cyber-security” “Who will provide 
roadmaps to help the investment by established companies and the venture commu- 
nity in cyber-security products?” However, there is reason to feel optimism for 
change, provided that some steps are taken immediately. Experience gained from 
the national response to the potential perils of the Y2K conversion are worth revis- 
iting in the context of cybersecurity, with especial attention to the role of the man- 
datory SEC filings for corporations to explain their Y2K strategy. 

A critical issue for cybersecurity is the ability to quickly transition products from 
the laboratory and the research community to industry. A fundamental organiza- 
tional problem that exists today is the lack of mechanisms for filling in the gap be- 
tween the end of a successful Federal research program and the investment by the 
venture community and industry in products. Research prototypes need to be hard- 
ened, tested on large scale test beds, informed, customized and modified in response 
to the needs of a diverse set of customers before they can attract capital to allow 
them to be integrated into products. In addition industry, especially systems inte- 
grators and the larger IT companies would benefit from roadmaps informed by this 
technology transition. The term public-private partnerships is used to describe the 
need for cooperative arrangements among academia, industry, venture capital, and 
government with individual stake holders in the infrastructures to bring tbe newest 
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products to the market place and then to the infrastructure stake holders. It is im- 
portant for the research and development community to play a role in developing 
the relevant non-profits and trade groups to pursue transfer of ubiquitous secure 
technology. It is important for us to continue to hold focused workshops and semi- 
nars on particular topics relating to infrastructure protection and cyher-security. Re- 
search and Development will need to learn and evolve with results, using an 
iterative investigate-develop-educate-apply cycle. It is critical to develop science, 
technology and proof of concept prototypes that will be tested through models that 
emerge from a series of analytical and case studies, experimentation and simula- 
tions. For example, through participation with the Secret Service’s New York City 
and San Francisco Electronic Crimes Task Force it has been possible for the 
cybersecurity research community to develop an understanding of the needs of 
cybersecurity for the financial community. 

A success story in public private partnerships, which has all the hallmarks that 
would be desirable for cybersecurity, is in the area of semiconductor manufacturing. 
The Semiconductor Industry Association (SIA) and Semiconductor Research Consor- 
tium (SRC) are fine examples of non-profit organizations, which have facilitated 
both the funding of rapidly, transitioned research to the semi-conductor industry 
and led the continual development of roadmaps for the electronics industry. DoD 
funding, both from the OSD and DARPA, from the earliest days of this research has 
been instrumental in maintaining a strategic national component both for competi- 
tiveness and also for maintaining US superiority in a vital industry sector. My own 
sense is that non-profits of the same ilk as the SIA and SRC, with the same kind 
of partnership with DHS and DoD, could play an important role for developing both 
a mechanism for rapid transition of focused research and road mapping for industry 
and the investment community. Once again, I feel here that for strategic national 
security reasons that DoD partner with DHS in co-funding such ventures. 


6 Concluding Remarks 

Thank you Mr. Chairman and Committee members for the opportunity to provide 
this testimony to the House Subcommittee on Cybersecurity, Science, Research and 
Development, of the Committee on Homeland Security. We laud you for holding this 
very important set of hearings and for engaging in a matter of deep national and 
homeland security. The research community offers the Subcommittee our full sup- 
port and cooperation, and every success in your deliberations. 

Mr. Thornberry. I thank the gentleman. And I neglected to say 
at the outset that each of your full statements will be made part 
of the record. And also, let me compliment each of you on your full 
written statements, because they did a very good job of directly ad- 
dressing the questions in which this subcommittee is interested, 
and I appreciate that very much. 

Let me now turn to our next witness. Dr. Steve Bellovin is a 
member of the National Academy of Engineering at the National 
Research Council. He is also a technical leader and fellow from 
AT&T Laboratory. Dr. Bellovin, thank you for being with us. And 
you are now recognized for 5 minutes. 

STATEMENT OF STEVEN BELLOVIN, PH.D., TECHNICAL 
LEADER AND FELLOW, AT&T LABORATORY 

Mr. Bellovin. Thank you, Mr. Chairman, Ms. Lofgren, and 
members of the committee. I am delighted to come to help you. 

I should add, one of my other roles, I am Security Area Director 
for the Internet Engineering Task Force, which is the group re- 
sponsible for most of the standards used on the Internet today. 

We face a very serious cybersecurity problem. Usually we can 
protect an individual high-value system, though it is hard. I run 
my own personal computers as tightly as I know how to; in the last 
2 years, probably there were a dozen different ways that, if some- 
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one sent me the right message at the right time, they could have 
taken over this system. And this is run about as tightly as any- 
thing can be and still be connected to public networks. 

We cannot protect all of the machines, and we simply don’t know 
how to. We don’t even know what the magnitude of the threat is 
even from ordinary hackers, let alone nation states and possible 
cyber terrorists. The available data on what kinds of attacks, on 
the number of attacks, is simply lacking. We need more research 
to help us understand what is going on, because you need different 
defenses against cyber terrorists than you do against ordinary 
hackers. 

Most of the security problems we see today are caused by buggy 
software. Buggy software is probably the oldest unsolved problem 
in computer science. I have no reason to think it is going to be 
solved in my professional lifetime. If we design a software correctly, 
though, we can restrict our attention to the crucial pieces for secu- 
rity and probably get those rights. Software reliability has im- 
proved. It is no longer unusual to see a server that has been up 
for a year or more. But we have to design software with that sort 
of division in mind. We know somewhat of how to do that, but not 
nearly enough. 

We need new mathematical formal frameworks for assessing and 
measuring the security of a system. A locksmith can tell you how 
long a safe can resist an attack with certain kinds of tools. A com- 
puter scientist can’t do the same. 

Pure research on cryptography, basic research on cryptography is 
probably not a priority. It is not that cryptography is not impor- 
tant — I have done a lot of cryptographic research myself — ^but we 
have far more science there than we have currently applied. We 
need a great deal of effort on technology transfer from the theo- 
reticians to the practitioners; and on engineering, taking the cryp- 
tographic mechanisms and actually engineering them to be used on 
deployed systems. 

I would note that open standards are better for this because they 
promote diversity. The lack of cyberdiversity, like the lack of bio- 
diversity, leaves us very vulnerable to a single infection vector, a 
single attack vector. This is a very serious issue in the computer 
industry today, because many other trends push towards one 
source rather than many. 

If we have all the security technologies, it is often too hard to 
use. We need to do a lot of work on the human factors of computer 
security. Most people don’t configure the systems securely because, 
frankly, it is too hard to do so. I find it hard sometimes myself, and 
I am a professional in this field, trying to understand some of the 
messages and prompts that I get. 

We need incentives for vendors to develop more secure systems. 
That is, both security features and more reliable, less buggy soft- 
ware. And we need incentives for end users to use these secure sys- 
tems and these secure features. 

We need to improve systems administration. This isn’t a sexy 
area, but most actual penetrations are caused by failure to apply 
available patches to correct known vulnerabilities. It is once the 
patch comes out that most of the activity takes place. Not always, 
but that is the large, vast majority of system penetrations. But no 
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responsible system administrator will patch a production system 
without testing it. System administration is not a prime area for 
research; it seems too mundane. Nevertheless, if we can have bet- 
ter tools for automating the administration, for testing systems, 
and, by the way, for improving the resources available to system 
administrators both in government and in industry, this has got 
the potential for a very large payoff. This is some low-hanging 
fruit. 

Security also depends on authentication. Authentication is a sub- 
tle business. It is hard to get right. If you get it wrong, you may 
have a system failure, you also violate individual privacy. It is im- 
portant to pay attention to both of these factors when designing 
systems. 

There are no simple answers to the cybersecurity problem. There 
is no one technology that is going to solve it for us. There are a 
number of areas, however, that if we put in the appropriate re- 
sources, I think we can make a lot of progress and get systems not 
absolutely secure — there is no such thing — but markedly more se- 
cure than they are today. 

Thank you, Mr. Chairman, Ms. Lofgren, members of the com- 
mittee. 

Mr. Thornberry. Thank you. Doctor. 

[The statement of Mr. Bellovin follows:] 

PREPARED STATEMENT OF MR. STEVEN M. BELLOVIN 

Cybersecurity Research Needs 


1. Introduction 

It is quite clear that cybersecurity is vital to our nation’s safety. A wide variety 
of National Research Council reports, summarized in Cybersecurity Today and To- 
morrow — Pay Now or Pay Later [1], have illustrated the threat in no uncertain 
terms. 

Although there are things that the information technology profession — software 
vendors, network operators, and end user sites — can and should do today to improve 
computer security, the simple fact is that there are limits on how good a job it can 
do. Even with unlimited financial resources, and the best will, we could not do an 
adequate job. Quite simply, we do not know how to mount an adequate defense. It 
is usually possible to protect an arbitrary resource; it is not currently possible to 
protect all critical resources. 

2. Threats 

The types of defenses that are necessary depend on the nature of the likely 
attacker. Schemes that will keep out the stereotypical “hacker” — i.e., the bored 
teenager with too much time and too few morals — are not very effective against a 
nation-state. The former typically use tools downloaded from someone more com- 
petent; the latter could develop its own custom tools, and combine them with phys- 
ical world techniques such as “the three B — bribery, blackmail, and burglary” — or 
terrorist attacks. 

We do not have an adequate categorization of the threat model. Too little research 
has been done on who launches what kind of attacks. It isn’t an easy thing to do; 
apart from the fact that most attacks are never detected, many organizations are 
reluctant to disclose their vulnerabilities. But we need to know the attackers’ capa- 
bilities if we are to devise adequate defenses. 

3. Basic Research Questions 

Most computer security problems are caused by buggy software [3]. It would be 
naive to assume that the problem was solvable now, when it hasn’t been solved de- 
spite efforts stretching for more than 50 years. Nevertheless, we must continue to 
focus effort on it. If nothing else, the need now is to solve a subtly different problem: 
making a small subset of software correct, rather than software as a whole. We may 



20 


be able to achieve it; today’s operating systems are far more reliable than those used 
a generation ago. 

However, if we are to focus our efforts on the critical software, we must learn how 
to divide up systems appropriately. We have long known how to do that for oper- 
ating systems, but many of today’s problems come from faulty applications. More 
generally, we must learn how to build secure systems from insecure components, 
just as we can produce highly reliable computer systems from unreliable electronic 
parts. 

We need new formal frameworks for analyzing the security of a system, and for 
specifying its security behavior. We do not have adequate tools for understanding 
how “strong” a computer system is; at best, we can say that some system can more 
or less Do certain things reliably. By contrast, civil engineers can tell you how much 
weight a bridge can hold, while locksmiths can tell you how long it will take to 
break into a safe using a specified set of tools. 

Formal, mathematical statements have proved to be powerful tools in some areas 
of computer science. We need to be able to apply them to computer security issues. 

Although basic cryptographic research is important and should be continued, it 
is not a high priority. As noted, most penetrations cannot be prevented by cryp- 
tographic means. It is more important to do a better job using the cryptographic 
science we have. Note that I say this as one who has published more than a dozen 
cryptographic research papers. 

Most basic research work is done at universities. But it is not possible to scale 
up the amount of basic security research very quickly. There are not that many pro- 
fessors who are capable of doing such work; there is a limit to how much money 
each one can profitably use. 

4. The Need for Engineering 

Although, as noted, there is a need for more basic research, a great deal of prior 
research has not yet been translated into practice. For example, we have far more 
cryptographic science than we have network protocols that use this science. We need 
to support technology transfer to industry groups and standards organizations; we 
cannot protect our infrastructure with theoretical constructs. (I note that open 
standards are better; apart from the “many eyes” notion, with open standards there 
can be multiple independent implementations of the same function. The National 
Research Council noted that the lack of diversity in platforms was a major risk fac- 
tor [3].) 

More subtly, much security technology is not employed because it’s too hard to 
use. We need research in the human factors of security technology. 

Assuming that industry does the necessary cryptographic and human factors engi- 
neering, the results must be translated into practice. This may require incentives 
for software vendors to develop the code, and for end users to employ it. 

As noted earlier, most security holes are due to buggy code. That is bad enough; 
what is worse is that most penetrations exploit bugs for which patches are available 
but have not yet been applied. The cause is not laziness or incompetence by systems 
administrators; rather, it’s reflective of the immense difficulty of the systems admin- 
istration task. Patches have a higher bug rate than base code, and may thus be 
more likely to create new security holes; beyond that, a remarkable amount of code 
functions because of an implicit reliance on some underlying bug that was present 
on the development systems. Fixing a bug may, as a side-effect, disable essential 
applications. No responsible systems administrator will install a patch on a produc- 
tion system without extensive testing, but this behavior leaves the machine vulner- 
able. We need research to solve this dilemma. Systems administration is not a typ- 
ical research topic; nevertheless, it is the area with the biggest potential payoff for 
a relatively modest investment. 

It is worth noting that systems administration is often a high stress, low status 
job. Administrators often struggle to perform basic tasks because of inadequate re- 
sources. Measures to improve systems administration, in industry and government, 
would likely have a significant effect on practical computer security. 

5. Privacy 

Often, computer security depends on proper authentication of authorized users. 
Authentication technologies, ranging from passwords to biometrics, are subtle and 
difficult to use properly. Beyond simple issues of correctness, any authentication 
technology can be used in ways that violate personal privacy [2]. Both research on 
cybersecurity and deployment of technology should protect privacy to the extent fea- 
sible. 
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6. Conclusions 

There are no simple answers to the problem of cybersecurity. What is needed is 
a combination of basic research, technology transfer, and applications of new and 
previously known techniques. We, as a nation, cannot afford to neglect the issue. 

References 

[1] Computer Science and Telecommunication Board, editor. Cybersecurity Today 
and Tomorrow — Pay Now or Pay Later. National Academies Press, 2002. 

[2] Stephen T. Kent and Lynette I. Millett, editors. Who Goes There?: Authentication 
Through the Lens of Privacy. National Academies Press, 2003. 

[3] Fred B. Schneider, editor. Trust in Cyberspace. National Academies Press, 1999. 

Mr. Thornberry. There are several areas that you mentioned we 
will certainly come back to in questions. 

Finally, we have Mr. Dan Wolf, Director of Information Assur- 
ance at the National Security Agency. Members will remember that 
Mr. Wolf has helped us before. Really, the first activity of this sub- 
committee was kind of a Members-only workshop on cybersecurity 
which Mr. Wolf put on for us. 

Welcome back, and we appreciate your being here. You are now 
recognized for 5 minutes. 

STATEMENT OF MR. DANIEL G. WOLF, INFORMATION 
ASSURANCE DIRECTOR, NATIONAL SECURITY AGENCY 

Mr. Wolf. Thank you. Chairman Thornberry, and members of 
the subcommittee. My name is Daniel Wolf, and I am NSA’s Infor- 
mation assurance director. 

NSA’s Information Assurance Director is responsible for pro- 
viding information assurance technologies, services, processes, and 
policies to protect national security information systems. We are 
also responsible for conducting research and development. 

In regards to your theme for this hearing. Cybersecurity — Get- 
ting It Right — 

Mr. Thornberry. Excuse me, Mr. Wolf. Would you pull that 
microphone just a little closer to you? Some of us are having trou- 
ble hearing, including me. There you go. Thank you. 

Mr. Wolf. In regards to your theme for this hearing, 
“Cybersecurity — Getting It Right,” I am not sure that NSA has all 
the answers or we have always got it right, but I am quite con- 
fident during our 50 years of deploying communications, and now 
cybersecurity products, we have learned quite a few lessons. Some 
people want to keep NSA in a box labeled “for classified informa- 
tion only.” They say that NSA’s perspective is too narrowly focused 
on national security systems. However, I believe quite to the con- 
trary. It has been my experience that there is little difference be- 
tween the cybersecurity that is required for a system processing 
top secret military information and one that controls a segment of 
the Nation’s critical infrastructure. 

The information management principle within the national secu- 
rity community has always been the concept of need to know, but 
the fundamental information principle for homeland security is 
need to share. Because the threat always rolls downhill; that is, 
our adversaries will always attack the weakest link. Information 
must be protected across the entire system. A three-sided castle is 
not very safe. The entire community must share the same stand- 
ards if we are to protect everyone on all four sides of the castle. 
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Your invitation to this committee outlined a number of areas 
where you wanted some specific comments and answers. The first 
was in technical approaches to optimize cybersecurity. I believe 
that the highest payoff for optimizing cybersecurity would be cre- 
ation of an interoperable authentication system deployed widely 
throughout the Federal, national security, first responder, and crit- 
ical infrastructure community. This authentication system also 
forms the basis for all of the other cybersecurity services. 

It is also important to note here that the most critical infrastruc- 
tures like this PKI should be built using U.S. technology. I have 
concerns with foreign software, unknown trust and quality, being 
integrated into critical U.S. systems. 

My next priority to cybersecurity is effective border protection. 
Just like our national borders or the perimeters of our buildings, 
we need to protect our cyber borders. Effective border protection in- 
cludes many different technologies, including firewalls, virtual pri- 
vate networks, high-assurance guards, and of course intrusion de- 
tection. 

It has also been estimated that over 90 percent of all successful 
attacks on DOD systems are against known vulnerabilities. System 
operators struggle to keep up with all the patches that are issued 
each month. A system left unpatched soon becomes a target like an 
unlocked sports car with the keys in the ignition. Therefore, we 
need an automated patch management system. 

Your second question dealt with advanced technologies and 
should they be pursued to outpace attacks. Today, most of the in- 
formation coordination during a cyber attack occurs at the speed of 
humans. Code Red infected 50,000 machines in an hour. We need 
the ability for networks to work together automatically to weather 
such an attack. 

Another significant research topic is attack attribution, the capa- 
bility to geolocate and identify the source of attacks. Without con- 
fident knowledge of who and where an attack was mounted, it is 
impossible to decide on the appropriate response. A rapid and reli- 
able capability that separates nuisance hackers from more serious 
threats could increase the overall effectiveness of every 
cybersecurity practitioner in both the government and the private 
sector. 

Areas needing higher priority and funding. There is little coordi- 
nated effort today to develop tools and techniques to effectively and 
efficiently examine either source or executable software in large ap- 
plications. We need a national software assurance center to pull to- 
gether representatives from academia, industry. Federal Govern- 
ment, national labs, the national security community, sharing tech- 
niques to solve this growing threat. It could liken us to the Man- 
hattan Project that was mentioned earlier. This is a significant 
problem, I believe. 

In today’s environment, the need is particularly acute for ways 
to counter security vulnerabilities found in popular commercial op- 
erating systems. While many of these vulnerabilities can be fixed 
by properly configuring the system, the goal is to configure these 
systems to be as secure as possible right out of the box. I am happy 
to learn from your last hearing that some equipment vendors are 
now offering the security standards as the default configurations. 
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NSA, working with DISA, NIST, the NIPC, the former NIPC, the 
FedCert, SANS, CIS, developed a set of consensus benchmark secu- 
rity standards. These standards provide a sort of, if you want to 
call it, preflight checklist of security settings. The benchmark 
standards represent an effective model based on agreement be- 
tween and among security experts. NSA is proud to be part of this 
project and will continue to support the community in establishing 
security standards. 

The fourth area was in the role of transfer among government, 
academia, and industry. NSA requirements for cybersecurity prod- 
ucts for national security uses are identical to the requirements 
found in other mission-critical systems; for example, homeland se- 
curity and a critical infrastructure protection. We have developed 
a number of programs leveraging commercial information tech- 
nology. My written statement provides the details, but let me just 
highlight a few of these programs. 

The National Information Assurance Partnership, or NIAP, is a 
U.S. Government initiative designed to meet security testing, eval- 
uation, and assessment needs of both information technology pro- 
ducers and consumers. 

Another is the NSTISSP 11. This is a national security commu- 
nity policy requiring the acquisition of information assurance prod- 
ucts that have been validated in accordance with either common 
criteria or other approved methods. 

Another is the Centers of Academic Excellence in Information 
Assurance Education. This program promotes higher education and 
information assurance, and produces a growing number of profes- 
sionals with lA expertise in various disciplines. Fifteen universities 
have been designated as centers of academic excellence to date. We 
need this type of program for our workforce development. We must 
invest in our future, our people’s future. 

And the next area is perspective on leveraging national security 
standards for homeland security. The key to success for protecting 
the homeland is secure interoperability. NSA has created a number 
of secure interoperability standards for national security use that 
are directly applicable for homeland security and public safety. 
Some sectors are already adopting these standards. If we are going 
to share information, these things are extremely important. 

In conclusion, it has been my pleasure to share the work of my 
agency with the committee today. I believe that much of the re- 
search and development initiated by NSA for use in the national 
security community is directly transferrable to the needs of home- 
land security. We must change our fundamental assumptions from 
“need to know” to “need to share.” We must share policies and 
processes across the community. Cybersecurity products and tech- 
nologies have been the focus of my remarks today, but technology 
alone will never be good enough to protect us. It is ultimately get- 
ting cybersecurity right is more about what you do than what you 
buy. 

Thank you for the opportunity to speak to you today. 

[The statement of Mr. Wolf follows:] 
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PREPARED STATEMENT OF MR. DANIEL G. WOLF 

Thank you Chairman Thornberry and the members of the Subcommittee. I am 
honored to be here and pleased to have the opportunity to speak with your com- 
mittee to discuss cybersecurity research from the point of view of the National Secu- 
rity Agency as we conduct our mission to address threats to the security of critical 
U.S. Government information systems. 

I also would like to thank the Chairman and other members of the Subcommittee 
for their strong interest and attention to this vital area. In my opinion, your leader- 
ship is important for raising awareness of the serious security challenges we all face 
in our age of interconnected, inter-dependent digital information networks. 

My Name is Daniel Wolf and I am NSA’s Information Assurance Director. NSA’s 
Information Assurance Directorate is responsible for providing information assur- 
ance technologies, services, processes and policies that protect national security in- 
formation systems. We are also responsible for conducting the research and develop- 
ment of information assurance technologies and systems. 

I would like to note that NSA’s Information Assurance Directorate and its prede- 
cessor organizations have had technical and policymaking responsibility regarding 
the protection of national security telecommunications and information processing 
systems across the Executive Branch since 1953. 

In regards to your theme for this hearing: “Cybersecurity — Getting It Right.” I am 
not sure that NSA has all of the answers or that we always have gotten it right — 
but I am quite confident that during our 50 years of deplo 3 dng communications and 
now cyber security products we have learned quite a few lessons. We have had tre- 
mendous successes and our share of failures. We also have gained a deep under- 
standing and respect for the challenges the nation must overcome to begin to tame 
cyberspace. 

Some in government and industry want to keep NSA in a box labeled “for classi- 
fied information only.” They suggest that NSA’s perspective is much too narrow due 
to our focus on the stringent requirements of national security systems. However, 
I believe quite the contrary. It has been my experience — and my testimony will soon 
address — that there is little difference between the cybersecurity that is required for 
a system processing top-secret military information and one that controls a segment 
of the nation’s critical infrastructure. 

Both systems require the element of assurance or trust. Trust that the system 
was designed properly. Trust that it was independently evaluated against a pre- 
scribed set of explicit security standards. Trust that it will maintain proper oper- 
ation during its lifetime, even in the face of malicious attacks and human error. It 
has been my experience that effective cybersecurity must be baked into information 
systems starting at the R & D phase. Trust cannot be sprinkled over a system after 
it is fielded. 

Homeland security presents another reason to suggest that cybersecurity require- 
ments must converge. The information management principle within the national 
security community has always been the concept of need-to-know. But the funda- 
mental information principle for homeland security is need-to-share. With need-to- 
share we must develop technical solutions for secure interoperability that may be 
called on to tie top-secret intelligence systems to a local first responder system. 

Because the threat always rolls downhill, that is to say, adversaries always attack 
the weakest link. Information must be protected across the entire system. A three- 
sided castle is not very safe. Therefore, I contend that in almost all cases the 
cybersecurity requirements found in national security systems are identical to those 
found in e-commerce systems or critical infrastructures. It follows then that the re- 
search challenges, security features and development models are also quite similar. 

With these similarities in mind, NSA has been working hard to converge these 
cybersecurity markets through a series of programs and research initiatives. Our 
goal is to leverage our deep understanding of cyber threat and vulnerability in a 
way that lets us harness the power and innovation provided by the information 
technology industry. We believe that the resulting cybersecurity solutions will pro- 
tect all critical cyber systems, regardless of the information they process. 

I think it will be useful for me to provide a brief description of NSA’s 
cybersecurity responsibilities and authorities. I will then turn to the specific ques- 
tions you asked me to answer in your invitation. 
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NSA Information Assurance Background 

When I began working at NSA some 36 years ago, the “security” business we were 
in was called Communications Security, or COMSEC. It dealt almost exclusively 
with providing protection for classified information against disclosure to unauthor- 
ized parties when that information was being transmitted or broadcasted from point 
to point. We accomplished this by building the most secure “black boxes” that could 
be made, emplo 3 dng high-grade encryption to protect the information. In the late 
1970s, a new discipline we called Computer Security, or COMPUSEC, developed. It 
was still focused on protecting information from unauthorized disclosure, but it 
brought with it some additional challenges and threats, e.g., the injection of mali- 
cious code, or the theft of large amounts of data on magnetic media. 

With the rapid convergence of communications and computing technologies in the 
early 1980s and especially with the explosion of the personal computer, we soon re- 
alized that dealing separately with COMSEC on the one hand, and COMPUSEC on 
the other, was no longer feasible, and so the business we were in became a blend 
of the two, which we called Information Systems Security, or INFOSEC. The funda- 
mental thrust of INFOSEC continued to be providing protection against unauthor- 
ized disclosure, or conhdentiality, but it was no longer the exclusive point of inter- 
est. 

The biggest change came about when these computer systems started to be inter- 
connected into local and wide area networks, and eventually to Internet Protocol 
Networks, both classified and unclassified. We soon realized that in addition to con- 
fidentiality, we needed to provide protection against unauthorized modification of in- 
formation, or data integrity. We also needed to protect against denial-of-service at- 
tacks and to ensure data availability. Positive identification, or authentication, of 
parties to an electronic transaction had been an important security feature since the 
earliest days of COMSEC, but with the emergence of large computer networks, data 
and transaction authenticity became an even more important and challenging re- 
quirement. 

Finally, in many types of network transactions it becomes very important that 
parties to a transaction cannot deny their participation, so that data or transaction 
non-repudiation joined the growing list of security services often needed on net- 
works. 

Because the term “security” had been so closely associated, for so long, with pro- 
viding conhdentiality to information, we adopted the term Information Assurance, 
or lA, within the Department of Defense to encompass the hve security services of 
conhdentiality, integrity, availability, authenticity and non-repudiation. I should 
emphasize here that not every lA application requires ah hve security services, al- 
though most lA applications for national security systems — and ah applications in- 
volving classihed information — continue to require high levels of conhdentiality. 

Another point worth noting is that there is an important dimension of Information 
Assurance that is operational in nature and often time-sensitive. Much of our work 
in lA is found in providing an appropriate mix of security services that are not oper- 
ational or time-sensitive, e.g., education and training, threat and vulnerability anal- 
ysis, research and development, assessments and evaluations, and tool development. 
However, in an age of constant probes and attacks of networks, an increasingly im- 
portant element of protection deals with operational responsiveness in terms of de- 
tecting and reacting to these time-sensitive events. This defensive operational capa- 
bility is closely allied with and synergistic with traditional LA activities, but in rec- 
ognition of its operational nature is generally described as Defensive Information 
Operations, or DIO. NSA’s responsibilities in this area have grown considerably 
since the late 1990’s. 

To meet this DIO challenge, NSA’s National Security Incident Response Center 
(NSIRC) provides real-time reporting of cyber attack incidents, forensic cyber attack 
analysis, and threat reporting relevant to information systems. Through round-the- 
clock, seven-days-a-week operations, the NSIRC provides the Departments of De- 
fense, the Intelligence Community, Federal Law Enforcement, Department of Home- 
land Security and other Government organizations with information valuable in as- 
sessing current threats or defining recent cyber intrusions. 

NSA’s responsibilities and authorities in the area of information assurance are 
specified in, or derived from, a variety of Public Laws, Executive Orders, Presi- 
dential Directives, and Department of Defense Instructions and Directives. The Sec- 
retary of Defense is the Executive Agent for National Security Telecommunications 
and Information Systems Security. The Director of NSA has broad responsibilities 
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in providing for the security of national security ^ telecommunications and informa- 
tion systems processing national security information, including: 

• Evaluating systems vulnerabilities 

• Acting as the focal point for cryptography and Information Systems Security 

• Conducting Research and Development 

• Reviewing and approving security standards and policies 

• Conducting foreign liaison 

• Assessing overall security posture 

• Prescribing minimum security standards 

• Contracting for information security products provided to other Departments 
and Agencies 

• Coordinating with the National Institute of Standards and Technology 
(NIST); providing NIST with technical advice and assistance 

While protecting the confidentiality of classified information via extremely strong 
cryptographic systems was a major part of NSA’s mission in the past, our mission 
has changed emphasis considerably over the last ten years. We now spend the bulk 
of our time and resources engaged in research, development and deployment of a 
full spectrum of lA technologies for systems processing all types of information. 
NSA’s days of just building “crypto for classified” are long gone. 

Specific Issues Related to Cybersecurity R&D 

Your invitation outlined a number of areas where you wanted specific comments 
and answers. 

1. Technical approaches to optimize cybersecurity. 

I believe that the highest payoff for optimizing cybersecurity is the creation of an 
interoperable authentication system deployed widely throughout the federal, na- 
tional security, first responder and critical infrastructure community. The typical 
approach used is a public-key-infrastructure (PKI) system with a smart card that 
contains your cyber credentials. This is the type of system that NSA and DISA have 
built for DoD. A national PKI system is required that allows for strong authentica- 
tion in cyberspace for homeland security. 

If we have this national system in the future — then when a first responder con- 
nects to a DHS website to access information or upload a report — we will know ex- 
actly who they are. We can then assign various privileges according to the role that 
the person is assuming for that specific information transaction. This authentication 
system also forms the basis for all of the other cybersecurity services from pro- 
tecting the control of Supervisory Control and Data Acquisition (SCADA) systems 
to encrypting your email and passwords. 

It is also important to note here that the most critical infrastructures, like a PKI, 
should be built using U.S. technology. I have concerns with foreign software of un- 
known trust and quality being integrated into critical U.S. systems. 

My next priority for cybersecurity is effective border protection. Just like our na- 
tional borders or the perimeters of our buildings, we need to protect our cyber bor- 
ders. Effective border protection includes many different technologies. 

• The most important technology is a firewall. Firewalls help networks resist 
attacks by establishing a strong hut resilient border between our protected net- 
work and the external Internet. 

• We also need encrypted tunnels, also called virtual private networks or 
VPN’s. These devices sit between critical networks to protect the information 
as it moves between secure networks over unprotected pipes. 

• Another necessary border security technology is called a “guard”. A guard is 
used when we need to share information between security domains. Consider 
the case of an intelligence report that is created on a top-secret network. It 
must be sanitized to unclassified and then sent to a local police department. It 
would be dangerous to allow this information to move between security domains 
without review. High assurance “guards” are designed to automatically and 
safely allow certain information packets to flow between systems but stops all 
others. 

• Finally, effective borders require the ability to detect and respond to intru- 
sions. Just like a security camera on a bank, cyber intrusion detection systems 


^The Computer Security Act of 1987 defines national security systems as telecommunications 
and information systems operated by the US Government, its contractors, or agents, that con- 
tain classified information or, as set forth in 10 USC Section 2315, that involves intelligence 
activities, involves cryptologic activities related to national security, involves command and con- 
trol of military forces, involves equipment that is an integral part of a weapon or weapon sys- 
tem, or involves equipment that is critical to the direct fulfillment of military or intelligence 
missions. 
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monitor the flow of information around your border and detect suspicious activ- 
ity. 

The best way to protect a system from attack is to eliminate its vulnerabilities. 
The best way to eliminate vulnerabilities is to improve the way we write software. 
High on my research priority list is the need for assured software design tools and 
development techniques. We also need to improve computer operating systems by 
including functionality to enhance their ability to defend themselves from attack. 

The elimination of vulnerabilities is the goal but the reality is that we are a long 
way from achieving this goal. Attacks are common and vulnerabilities are discov- 
ered daily. It has been estimated that over 90 percent of all successful attacks on 
DoD systems are based on vulnerabilities that are already known and that have an 
updated software fix or “patch” available. The rare system operator can keep up 
with all of the “patches” that are issued each month. A system left un-patched soon 
becomes a target like an unlocked sports car with the keys in the ignition. There- 
fore, another way to optimize cybersecurity is with an automated patch manage- 
ment system. 

This system would also use strong authentication as provided by a PKI but the 
software producer would sign the new application instead of a person. The patch 
would be automatically and safely sent to your system. The PKI guarantees that 
it is comes from an authentic source and has not been corrupted. 

2. What areas of advanced technology should be pursued to outpace at- 
tacks? 

Research is required to improve a cybersecurity system’s ability to modify itself 
on-the-fly. New attacks are constantly emerging and new vulnerabilities are discov- 
ered even in the most carefully designed systems. The ability to update must be 
safely executed and as transparent to the user as possible. 

NSA is working on a multi-year, nearly $3B development program called Cryp- 
tographic Modernization (CM) that has some of these features. There are over 1.3 
million cryptographic devices in the U.S. inventory. Over 75% of these systems will 
be replaced during the next decade. Future security systems are being designed to 
use the network to safely program and reprogram their operating characteristics 
automatically and transparently to the user. 

Research is also needed to learn how to build cybersecurity systems that can con- 
tinue to operate even while under attack. Resilient systems, like those being inves- 
tigated by DARPA and others will be needed in the future. The goal is to have a 
system that degrades gracefully instead of causing a cascade of insecurity. 

I would also suggest that considerable research is needed to effectively coordinate 
information during a cyberattack. Today, most of this coordination occurs at the 
speed of humans. But attacks are carried out in seconds and are often carried out 
automatically. 

The CODE RED attack in 2001 infected 50,000 machines per hour, ultimately 
causing billions of dollars in damage. We need a capability for our networks to work 
together automatically to weather an attack. Incident information formats, auto- 
matic remediation algorithms, the ability to learn attack specifics from intrusion de- 
tection devices and other network sensors and then share this info with other net- 
works without human intervention are high priority requirements. 

Another significant research topic is the ability to enhance attack identification 
methods. Most intrusion detection or system misuse systems today rely on patterns 
or signatures to identify the bad behavior. This works well for known attacks but 
is useless against novel attacks. The ability to detect attacks and misuse from 
anomalous behavior is needed. 

The ability to detect suspicious or anomalous behavior is also useful to identify 
insider attacks. Studies have estimated that 50 percent of the most damaging at- 
tacks come from insiders. An insider is unlikely to use sophisticated attacks because 
they already have an account on the system — but the ability to monitor system use 
during off hours or track users accessing unusual accounts provides vital clues for 
detecting insiders. 

Continuing with the cyber attack theme — I believe that one of the hardest prob- 
lems we must solve in cybersecurity is attack attribution. That is the capability to 
geolocate and positively identify the source of attacks on the Internet. Without con- 
fident knowledge of who and where an attack was mounted, it is impossible to de- 
cide on the appropriate response. A rapid and reliable capability that separates nui- 
sance hackers from more serious threats would increase the overall effectiveness of 
every cybersecurity practitioner in both government and the private sector. Effective 
attribution by law enforcement leading would also deter the casual hacker and allow 
resources to spent on more serious cases. 
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3. Suggest advanced technology programs needing higher priority & fund- 
ing. 

A significant cybersecurity improvement over the next decade will be found in en- 
hancing our ability to find and eliminate malicious code in large software applica- 
tions. Beyond the matter of simply eliminating coding errors, this capability must 
find malicious software routines that are designed to morph and burrow into critical 
applications in an attempt to hide. There is little coordinated effort today to develop 
tools and techniques to examine effectively and efficiently either source or execut- 
able software. I believe that this problem is significant enough to warrant a consid- 
erable effort coordinated by a truly National Software Assurance Center. This center 
should have representatives from academia, industry, federal government, national 
laboratories and the national security community all working together and sharing 
techniques to solve this growing threat. 

We also need the ability to trust the hardware platforms we use for critical appli- 
cations. Most microelectronics fabrication in the USA is rapidly moving offshore. 
NSA is working on a Trusted Microelectronics Capability to ensure that state-of-the- 
art hardware devices will always be available for our most critical systems. 

The DoD is currently undertaking a major program called transformational com- 
munications. This program is developing the military communications infrastructure 
of the future and it will be delivering high-bandwidth, secure, multi-faceted digital 
capabilities across the defense enterprise and down to the individual warfighter. 
Many new cybersecurity requirements are being generated by this initiative and 
they will require significant R&D resources. For example, additional key manage- 
ment infrastructure capabilities, techniques for multi-level security networks, and 
ultra-high bandwidth encryption are a few of the new technologies being driven by 
this requirement. It is important to note that the results of this program will be 
dual-use. The technology being developed will have application for solving many of 
the same challenges that are found in homeland security systems. 

In today’s Information Technology environment, the need is particularly acute for 
ways to counter security vulnerabilities found in popular commercial operating sys- 
tems and applications. While many of these vulnerabilities can be fixed by properly 
configuring the system, the goal is to configure these systems to be as secure as pos- 
sible “right out of box.” Building on the hugely popular security configuration guides 
for Windows 2000, NSA, working with Defense Information Systems Agency, the 
National Institute of Standards and Technology, the FBI’s National Infrastructure 
Protection Center (now at DHS), the General Services Administration’s FedCert, the 
SANS Institute, the Center for Internet Security and vendors — developed a set of 
consensus benchmark security standards. These standards provide a sort of 
"preflight checklist" of security settings. 

The benchmark standards represent an effective model based on agreement be- 
tween security experts, system operators and software vendors. A number of stand- 
ards for the most popular technologies are being adopted by many government and 
private sector CIOs. 

I am happy to learn from your last hearing that some equipment vendors are now 
offering the security standards as the default configuration. I also understand from 
your hearing last week that industry gave high marks to the great work being done 
by the Center for Internet Security. NSA is proud to be a part of this project and 
will continue to support the community in establishing security standards. This con- 
sensus approach may not eliminate every vulnerability, but by working together, we 
can harden our systems against common attacks. 

4. Role of technology transfer among government, academia, and industry? 

NSA is motivated by a sincere belief that the requirements for cybersecurity prod- 
ucts and services for national security uses are identical to the requirements found 
in other mission critical systems e.g., homeland security and critical infrastructure 
protection. We have developed a number of programs and policies targeted 
leveraging the commercial information technology. 

• The National Information Assurance Partnership (NIAP) is a U.S. Govern- 
ment initiative designed to meet the security testing, evaluation, and assess- 
ment needs of both information technology producers and consumers. NIAP is 
collaboration between the National Institute of Standards and Technology and 
the NSA in fulfilling their respective responsibilities under the Computer Secu- 
rity Act of 1987. The partnership, originated in 1997, combines the extensive 
security experience of both agencies to promote the development of technically 
sound security requirements for IT products and systems and appropriate 
metrics for evaluating those products and systems. The long-term goal of NIAP 
is to increase the level of trust consumers have in their information systems 
and networks through the use of cost-effective security testing, evaluation, and 



29 


assessment programs. NIAP continues to build important relationships with 
government agencies and industry in a variety of areas to help meet current 
and future IT security challenges affecting the nation’s critical information in- 
frastructure. 

• NIAP also produces cybersecurity specifications, called protection profiles that 
have already been developed for low and medium assurance applications and 
are periodically updated. The profiles are available on the NIAP website for 
anyone to use to describe the features needed for cybersecurity applications. 

• NSTISSP #11 (National Security Telecommunications and Information Sys- 
tems Security Policy #11) is a national security community policy governing the 
acquisition of information assurance products. The policy mandates, effective 1 
July 2002, that departments and agencies within the Executive Branch shall ac- 
quire, for use on national security systems, only those products that have heen 
validated in accordance with the either the Common Criteria, or other approved 
methods. Additionally, NSTISSP #11 notes that departments and agencies may 
wish to consider the acquisition of validated COTS products for use in informa- 
tion systems that may he associated with the operation of critical infrastruc- 
tures as defined in the Presidential Decision Directive on Critical Infrastructure 
Protection Number 63. 

• The Information Assurance Technical Framework Forum (lATFF) is a NSA 
sponsored outreach activity created to foster dialog between U.S. government 
agencies, industry, and academia seeking to provide their customers solutions 
for information assurance problems. The ultimate objective of the lATFF is to 
agree on a framework for information assurance solutions that meet customers’ 
needs and foster the development and use of solutions that are compatible with 
the framework. The forum serves to increase awareness of available security so- 
lutions and allows attendees to establish contacts with other individuals and or- 
ganizations dealing with similar problems. The Information Assurance Tech- 
nical Framework document, currently in its third revision that provides over 
500 pages of technical guidance for protecting information and information sys- 
tems. 

• The Centers of Academic Excellence in Information Assurance Education Pro- 
gram is an outreach effort designed and operated by NSA in the spirit of Presi- 
dential Decision Directive 63. The program goal is to reduce vulnerability in our 
National Information Infrastructure by promoting higher education in informa- 
tion assurance, and producing a growing number of professionals with lA exper- 
tise in various disciplines. Fifty universities have been designated as Centers 
of Academic Excellence to date. NSA has also been using the skills found at the 
service academies in a number of interesting ways. One exciting program is the 
service academies competition for attacking and defending networks. We also 
sponsor visiting professors in lA. We need this type of program for our work- 
force development - we must invest in our future. 

• NSA is also working to transfer techniques to cybersecurity service providers. 
One of the services that NSA offers under this authority is system security as- 
sessment. Since NSA has limited resources to meet the ever-growing demand 
for INEOSEC Assessments, a training and certification program was developed 
as a partnership between NSA and private INFOSEC Assessment providers. 

• NSA also created the INFOSEC OUTREACH Program to combine the sub- 
stantial Information Systems Security talents of government and industry part- 
ners. The program provides insight into secure design, security evaluation, and 
the security considerations of system certification. Working together, the part- 
nership of government and industry can meet the increasing demands for state- 
of-the-art secure telecommunications and information systems. 

• NSA and the International Information Systems Security Consortium (ISC)2 
developed a new Information Systems Security Engineering Professional creden- 
tial for information security professionals who want to work on national secu- 
rity systems. The new certification will serve as an extension of the Certified 
Information Systems Security Professional, offered by (ISC)2 for information se- 
curity. 

5. How are research priorities and programs determined in the national se- 
curity area? 

We base our priority decisions on a number of factors. The first factor is deter- 
mined by the technologies and systems most used by our customers. For example, 
we recently started a comprehensive R&D program to enhance the security of PDA’s 
and wireless 802.11 networks over the last two years because of the explosion of 
the use of these systems by our DoD customers. 
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We also maintain a large number of cooperative research agreements with many 
of the most important technology vendors to help us keep ahead of their develop- 
ment cycles. We also work with small firms ensuring that their innovative tech- 
nologies are fully informed by our cybersecurity expertise. This insight allows us to 
program for anticipated cybersecurity enhancements of our systems, or in the best 
case, influence our industrial partners, large and small, to add additional lA fea- 
tures during development. 

Our researchers also participate in R&D agenda setting panels and boards with 
the NSF, DARPA, National Laboratories, and industry associations. We collaborate 
with the R&D functions in our customer’s organizations. All of this information is 
used in making an R&D priority and programming decision. 

NSA is also unique in that we have considerable insight into the threat presented 
by various adversaries from our intelligence activities. Threat profiles are developed 
and these, in part, drive our research agendas. 

6. Share your perspectives on leveraging national security standards for 
homeland security needs? 

National security standards are developed for — and are intended to be leveraged 
for all critical cybersecurity requirements. 

• In order to promote secure interoperability between wired and wireless sys- 
tems NSA initiated an industry and government consortium to agree on a com- 
mon signaling plan called the future narrowband digital terminal (FNBDT). Al- 
though in reality it is not just narrow band anymore but a broad specification, 
FNBDT includes a common voice processing capability, a common signaling pro- 
tocol, a common crypto-algorithm hase, and a common key management process. 
FNBDT has become the primary security standard for cell phones, military ra- 
dios and many emerging public safety communications devices intended to serve 
homeland security missions and first responders all around the world. 

• We also created the High Assurance IP Interoperability Specification 
(HAIPIS), which will ensure interoperability with all future generations of IP 
network encryptors. The IP, or Internet protocol, is the backbone of the world- 
wide Internet. This new cybersecurity specification has become extremely pop- 
ular and new products, based on this specification are being released regularly. 

• Many of the technologies that we are suggesting for homeland security re- 
quirements were developed to support coalition military warfare. These systems 
were designed to cost-effectively support a highly mobile and constantly chang- 
ing set of information sharing partners. We are confident that they are exactly 
what many homeland security applications require. 

Conclusion 

It has been my pleasure to share the work of my agency with the committee 
today. I believe that much of the research and development initiated by NSA for 
use in the national security community is directly transferable to the needs of home- 
land security. We all need to work together to shape the demand side of the market. 
Everyone needs trustworthy technology. We cannot afford to cut corners. 

We must change our fundamental assumption from need-to-know to need-to- 
share. We must share policies and processes across the community. Cybersecurity 
products and technologies have been the focus of my remarks today but the tech- 
nology alone will never be good enough to protect us because — ultimately — getting 
cybersecurity right is more about what you do than what you buy. 

Thank you for the opportunity to speak before the subcommittee today. 

Mr. Thornberry. I thank the gentleman, and all the witnesses, 
for their testimony. It is rather remarkable to me how much con- 
sistency there is really between among all three of you. 

At this time, I would yield to the gentlelady from California for 
questions. 

Ms. Lofgren. Thank you, Mr. Chairman. And as I have in past 
hearings, I am really struck by how fortunate we are in this sub- 
committee to be able to really call on some of the smartest people 
in the whole country, and then they come and share with us. So 
it is a delight to listen to each of you. 

I have many questions, but let me just start in with Dr. Sastry, 
because one of the concerns I have, you mentioned HSARPA as an 
encouraging element of the new Department and one with great 
promise. Before you were leading the Department at Berkeley, you 
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ran the technology, the cyber part for DARPA. And I am wondering 
if you can reach back to that part of your experience and give us 
some advice on what we might do to actually get HSARPA up and 
running. 

Right now there is, I believe, a recently hired deputy director, 
and that is it. I mean, it was last month you couldn’t even call the 
division because there wasn’t a phone number or an office. And 
there is no director, there is no employees. If you were the czar, 
what would you do to jump-start that effort so it could be as pro- 
ductive for the country as DARPA was? 

Mr. Sastry. Thank you very much, the Honorable Ms. Lofgren. 
I had the good fortune to serve under the deputy directorship of 
Jane Alexander, who is now the Deputy Director of HSARPA; she 
was the Deputy Director of DARPA. So I think we are fortunate 
to have some leadership with experience in the DARPA model. 

The way I would configure HSARPA is perhaps quite substan- 
tially along the lines of the DARPA model with a few differences. 
The way DARPA programs are organized are they are mission-ori- 
ented in the sense that they are 3-to 5-year programs with very 
definite outcomes. And so even in the information assurance and 
survivability suite of programs, we had one on secure systems, we 
had one on fault tolerant networks, we had one on coalitions. And 
each one of those was separately organized, bite-sized pieces of re- 
search. And in addition, the way those were informed by the needs 
of the services and the needs of the service labs was to have the 
service labs be the individual CTARs of the technical contractors 
for executing the contracts. 

So I feel that the lAIP Directorate, the Board of Security Direc- 
torate, and the Emergency preparedness directorate could provide 
staff to be the executors of the contracts that come out of HSARPA, 
very much in that model. 

Now, the questions about how one ramps up quickly to this is a 
very important one, and I think it will take some time to hire the 
right program managers and to have adequate turnover, the way 
DARPA does, so as to keep new ideas coming into the agency. One 
suggestion is to actually use existing mechanisms of partnership 
with NSF the way DARPA does, or with DARPA itself in the short 
run, to be able to ramp up to such a state where it has its own 
program managers. 

The one thing I do differently from DARPA is, because there are 
sort of short-and intermediate-term needs which have to be met in 
the other directorates, I think I would really have a separate office 
which concentrates on the technology transition issue. And the 
technology transition issue would be about setting up the correct 
structures to make sure that, as the programs mature, those get 
taken up. And I alluded to some mechanisms that I thought were 
useful. 

Ms. Lofgren. Mr. Wolf expressed concern about foreign software 
or software developed offshore and its reliability. Do you. Dr. 
Bellovin and Dr. Sastry, share that concern? 

Mr. Bellovin. I am concerned about all software’s reliability and 
correctness. I am not in the position to understand how much 
greater the threat is when it is coming from elsewhere, but we are 
dealing with a screen door, not a vault door in a lot of the software. 
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Patching systems — I was asked this question leading up to Y2K. 
A lot of the Y2K intermediation work was done offshore. I was 
asked if I was concerned about that, and my answer was, I am con- 
cerned about anybody patching systems regardless of who they are, 
because patches have a much higher bug rate, hence, vulnerability 
rate, than base code. 

So I think if we had the technology to examine any code, no mat- 
ter where it was, for security and assurance, or vendor back doors 
which sometimes are put in for maintenance purposes, we would 
be in a lot better shape. And I would leave to professionals to un- 
derstand how much greater the threat is from overseas. 

Mr. Sastry. If I could amplify on that, I fully agree with Dr. 
Bellovin. I think that one has to be worried about all software. And 
one of the problems about these complex systems has been that 
even though one can trust individual pieces, when you put them to- 
gether, the overall systems tend to suffer from all kinds of prob- 
lems. So I think that there are some glints of hope. But I think 
that the technologies for guaranteeing that software, whether it is 
written overseas or in the United States, is in fact more or less cor- 
rect by construction, are in their infancy. 

One specific one that has come out of Carnegie-Mellon is called 
proof-carrying code. And this is the notion of providing code which 
comes with its own certificate so one can independently prove to 
one’s self that it works the right way. The drawback has been that 
it is not scalable to large systems. 

Now, I think that there is an area of research about how you 
compose and put together large systems. And this is perhaps what 
we have to do on the fly today to reduce vulnerabilities. And so I 
guess there are no easy answers. 

Mr. Wolf. If I could add a comment to that. Really, there are 
two pieces to that. One is certainly the quality of the code. And as 
was referenced earlier, certainly there is a lot of buggy code out 
there. But the other is the trust factor. And when you think about 
the globalization of IT and the people that are writing code offshore 
now, there is a wide variety, many of whom you can say that we 
trust, and there are others that you might not have so much trust 
in. 

And frequently my organization is asked, for example, by law en- 
forcement to look at code and say, is there a back door in this? Is 
there something malicious in it? That is a very difficult problem, 
and the tools aren’t necessarily there to do that right now. And so 
that is the reason that we have talked a lot about the idea of a na- 
tional lab that looks at software. Certainly, you know, the goal 
would be that you write codes so that up front the code is good and 
you have trusted code trusted modules. But in many cases we don’t 
have that luxury. And if you think about the critical infrastructure 
of Wall Street or the power grid in the east coast, and you look at 
who wrote some of that code, you might be a little concerned. 

Ms. Lofgren. I am intrigued by this, and I don’t know if we will 
have time for a second round. But I am wondering whether some 
of the research — I don’t think that is a function you would want 
the Federal Government to provide, and yet it might work nicely 
with the research that is being discussed, maybe the test bed re- 
search that was referenced in the testimony, so that you might 
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have — I mean, the last thing you want is the heavy hand of the 
Federal Government on the creative element, and yet we might 
want some way to examine and have a test bed research compo- 
nent for critical elements of the infrastructure. 

Is that sort of what the two doctors are proposing? 

Mr. Sastry. So, I think test bed research is really a lot of what 
is needed to take ideas from the research stage into systems that 
work. So, the specific kinds of test beds that I alluded to certainly 
for network defense, distributed denial of service and worm at- 
tacks, are coming in with an increased frequency. There are a lot 
of different solutions that the research community is putting out, 
but very few service providers have faith in them simply because 
they haven’t been tried out on systems of adequate magnitude. So 
also in this software verification the questions of how much faith 
you can put in proof-carrying code, which is a piece of code that you 
add to a piece of software to check whether it is actually meeting 
the functions that it was supposed to and whether or not it has 
back doors. 

So I think that a test bed activity is one of the things that is 
needed to fill the chasm between research and what comes out of 
a university or what comes out of other research agencies, research 
groups, and products. 

And then the questions about the regulations. I think that while 
it is true that it is not completely clear whether one ought to be 
heavy-handed in the regulation, I do think that as in the Y2K case, 
the Federal Government had a very, very important role in 1997 
by the SEC asking for companies to file their plans for what they 
were doing with Y2K. 

Ms. Lofgren. If I may. I don’t disagree that the Federal Govern- 
ment must play some role. The question is, what is that role? And 
I think we have discussed many times, and I think there seems to 
be consensus among most of the members of the subcommittee, 
that a heavy-handed regulatory role is probably not the optimal 
role for the government to play, but there is a role for the govern- 
ment to play. 

Mr. Bellovin. There is a need for test beds. The fundamental 
problem of software is scale. We can do small things well, both de- 
veloping and testing; we can’t do large things well. That is where 
a test bed, an opportunity to try certain things at scale in an exper- 
imental setting would be very, very useful. And there are some 
things where it is easier than others. Network technology, it works 
better. 

Software. Most of the large software systems are developed by in- 
dustry. A mass — a software project by definition is very many peo- 
ple over many years with real users and real changes over the life 
span. That is hard to put into a test bed. Nevertheless, an indus- 
try/government/academia cooperation is useful, because industry 
has the software that everybody is relying on, including the De- 
fense Department. We are all running commercial off-the-shelf soft- 
ware for the most part, and we have to get this right to secure the 
critical infrastructure. 

Ms. Lofgren. I think I have more than used up my time, and 
I would like to thank the Chairman for his courtesy and yield back. 
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Mr. Thornberry. The gentlelady is asking some very good ques- 
tions. 

The Vice Chair of the subcommittee, the gentleman from Texas. 

Mr. Sessions. Thank you, Mr. Chairman. 

On behalf of this committee, as you have heard us say, we appre- 
ciate all three of you being before us today. I think this is an im- 
portant exercise for this subcommittee and for our own knowledge. 

Mr. Wolf, I think I would like to direct my question to you, but 
I am not sure it would be limited to you. You speak very forth- 
rightly and clearly about effective border protection. And, quite 
honestly, that makes my mind race. I am a free trader. I believe 
in goods and services and information flowing back and forth be- 
tween countries. And I believe one of the most powerful parts about 
the World Wide Web is its availability to people for commerce and 
other activities. However, the need of this great Nation to protect 
itself and its intellectual property, its secrets, and other things that 
emanate from that is important also. And in my mind, I under- 
stand — I think I understand border, but I am not sure that I do, 
and it is because I really don’t have a concept of where all these 
nodes are that bring traffic into this country to where they share 
our information. 

And standards body. When I was at Bell Labs, we were a part 
of a standards body organization for switch manufacturers. 

I would like for you, if you could, to perhaps go through in a de- 
tailed way about what you see as this border or cyber border. And 
are there things that we as this country should be doing, just like 
trade agreements, to say — or just like Customs would be at an air- 
port in a foreign country or visitors coming to this country. Should 
we place a burden upon knowing who is coming here and where 
they came from? And I know this is hard on a real-time basis. Or 
even if just information that would travel with that packet that 
would comment about where someone originated. I think you see 
where I am coming from. Can you address that? 

Mr. Wolf. Okay. And I guess let me start by saying when they 
talk about border protection, you are really talking about pro- 
tecting — if I can start, say, with your computer at home, in terms 
of having a firewall such that you can control in terms of who 
comes into your computer, who has access to the computer, the 
kinds of things that come in and go out of your computer. So that 
is not restricting you from going to anywhere in the world, okay, 
to look at something on the Internet. But it is meant to stop a 
hacker, for example, from coming into your computer and stealing 
your tax information. So we talk about firewalls. And firewalls 
have a set of privileges that you can identify with them in terms 
of how strict and how high up you want to put the wall, if I can 
say it that way. 

We also talk about intrusion detection systems. So now if you go 
a little further out from, say, your home computer and you want 
to develop a profile of what kind of activities are coming across 
that boundary, looking for hackers, for example, that is kind of 
what we would call border protection. In terms of looking for mali- 
cious activity, threats, hackers, whether that is a terrorist, a nation 
state, state, whatever. So you are, if you will, protecting your com- 
puter environment, protecting cyberspace. 
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Now, if you take that a little further to the borders of the United 
States, that would be a very difficult task to put up, if you will, 
some kind of protection around the United States, and probably not 
necessarily a good investment. But you certainly would want to put 
sensors maybe on the periphery of the U.S. again to look at hack- 
ers, to look at people trying to come in to do malicious things to 
you, and to look also at maybe data that is leaving the U.S. the 
idea of — and I talk sometimes, and I think in my testimony talk 
a little bit about the insider. You know, is there information leav- 
ing a facility that you wouldn’t want to leave? Is somebody on the 
inside pushing information out to another entity? 

So when we talk about border protection, we are really talking 
about how do you protect your enterprise, what kind of protections 
do you put around it so that somebody can’t come in and do some- 
thing malicious to your enterprise? So, not really restricting in 
terms of, you know, the Internet as a whole, but it is more the pro- 
tections that you want to put in to make sure that somebody isn’t 
doing something malicious to you. 

Mr. Sessions. So the border could mean any individual computer 
as opposed to in the border I was describing as the United States 
of America? 

Mr. Wolf. Yes. So we are not necessarily talking geographic. In 
DOD, we have something called “defense in depth,” and we talk 
about the enterprise level, the information backbone. There are 
several levels that we talk about in terms of doing protections. So 
it is not necessarily a physical boundary in terms of around the 
United States. Although there may be something in terms of imple- 
menting a network of sensors to look for hackers, to look for kinds 
of activities, malicious activity. That may be something that we 
want to do. 

Mr. Sessions. Okay. Any of the other gentlemen choose to 
speak? 

Mr. Bellovin. Yeah. I am in favor of border protection to the ex- 
tent it is possible; I was the author of the first book on firewalls 
in 1994. But it is a much more challenging problem today than it 
was in 1994, because the amount of interconnection has increased 
tremendously. A modern corporation will have hundreds to thou- 
sands of external links that penetrate its firewall to its outsource 
functions, to its joint venture partners, to its customers, to its sup- 
pliers. All of this is done electronically, and all of this is done by 
means of mechanisms that bypass the firewall, go through the bor- 
der. 

In other words, we have many more border crossings than we do 
today. The virtual private network technology that lets me work 
from my hotel room exactly as if I was inside my office at AT&T 
works very well; but if the same employee who is telecommuting 
via VAN is using that same computer to surf the Internet individ- 
ually, we have a problem because we don’t have an effective border. 
We are moving more towards a motel rather than a hotel model. 
In the hotel, there are one or two entrances and everyone is walk- 
ing past the front desk. In the motel, every room has got its own 
door to the outside. It is a lot harder to secure that, and we are 
moving more towards that ladder. We have to find a scalable solu- 
tion to let us protect all of these doors. 
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I would note that tracing things, where they are coming from 
outside the country, is a lot harder. The hackers don’t use their 
own computers for the most part. They use their own computers to 
hack an easy target, maybe in a university someplace or a small 
company, and use those to hack a few more. Five levels away, that 
is where they will launch the attack from. The attack may be com- 
ing from inside or the outside, but you don’t know where the con- 
trolling messages came from. And that is what makes it so hard 
to trace back these things. Authentication credentials, they are 
stealing the credentials identity today. It would be very hard to 
fundamentally reengineer things to get around that. 

Mr. Sastry. I share you sentiments about being open enough to, 
A, have IT products come into the country, and also for us to be 
able to sell IT products in other parts of the world. And so I think 
that open standards, which I think is one of your concerns, are in 
fact better than standards where one erects barriers. 

But having said that, I think that one does need to have the 
sense of being able to dial up and down security so that even if you 
did have this motel model and sometimes — and physical security 
with different threat levels and being able to dial up and down se- 
curity depending on your perception of how threatening the envi- 
ronment around you is, the questions of how to do this are I think 
are open research issues. 

Also, I think that the questions about being able to trust soft- 
ware, I think it is easy to trust individual pieces of software and 
to be able to test individual pieces of software regardless of where 
they are written. 

On the other hand, the problems are about what happens when 
you try to compose them. And the biggest single problem is when 
you put together complex systems — and people inevitably build 
complicated systems for reasons of functionality — that is when we 
really don’t have guarantees both in security and also in privacy 
because of the kinds of data sharing that occurs across large sys- 
tems. 

So coming back, I think in the earlier parts of our testimony both 
Steve and I, Steve Bellovin and I, agreed that really sort of the bot- 
tleneck problem is to be able to compose secure systems so as to 
guarantee that the overall system works. And I think that the way 
to do that is not actually to stop people from sending software in 
or for us to be able to sell overseas. 

Mr. Wolf. And if I could add one more comment. We talk about 
border protection and firewalls. You also need to think about what 
functions you want somebody to be allowed to do on your computer. 
So it is not just put a border up and protecting it, but it is what 
do you want them to do. Do you want them to be allowed to look 
at Web pages? Do you want them to be able to move files around? 
So there is a whole set of things to go along with that. So it is sort 
of the motel model in terms of defining what you can do in the 
motel. 

Mr. Sessions. I appreciate that, gentleman. That obviously led 
me right to what Mr. Wolf was talking about, and that is our own 
systems is our border. And I appreciate the discussion. I yield back. 

Mr. Thornberry. I thank the gentleman. 

The gentleman from Rhode Island, Mr. Langevin, is recognized. 
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Mr. Langevin. Thank you, Mr. Chairman. I want to thank mem- 
hers of the panel for being here, and your testimony, and really 
some of the questions I have prepared you have addressed. But I 
would like to give the opportunity to expand on them a little more. 
And I will start with asking if you can discuss whether there is suf- 
ficient information sharing taking place between researchers who 
discover most vulnerabilities and the companies who created the 
products and the DHS. And also, how could the government help 
to foster an environment where researchers and companies could 
better work together? 

Mr. Langevin. And then, expanding on that point, what do you 
see as government’s role in terms of increasing security and stand- 
ards setting? Should it be fostered through partnerships and pur- 
chasing criteria, or should we take a more active role? I know you 
discussed this a bit already, but if you can expand upon that. And 
basically would government-mandated standards, such as the com- 
mon criteria, be a baseline or hindrance for future innovations? If 
you could take a crack at those, I would appreciate it. 

Mr. Bellovin. When it comes to vulnerability reporting, there is 
pretty good cooperation between the people who find the holes and 
the vendors. There is sometimes an unrealistic expectation of how 
soon a problem can be resolved. More responsiveness, at least ac- 
knowledgment, would certainly help. I think it is cases of people 
getting frustrated at reports being ignored. In general that is a 
path that works well. 

Sometimes people have unrealistic expectations about what can 
be done. You know, the problems are generally subtle, or they 
wouldn’t be there in the first place. 

For standard setting, I would suggest the procurement model is 
much better. We don’t know exactly what we are doing. There is 
a saying, if we know what we were doing, it wouldn’t be called re- 
search. And to try to mandate certain things is probably premature 
given the state of the art. The Common Criteria is a useful step 
forward. As an NRC report a few years ago pointed out, it doesn’t 
really address a lot of the software models we are dealing with 
today. It is also extremely expensive to produce software that 
meets these criteria and can continue to meet these criteria over 
the life cycle of the hardware and software platform. 

This has tended to make such systems slower, much less modern, 
and much more expensive than the commercial off-the-shelf alter- 
natives, which has generally led people to buy the commercial off- 
the-shelf alternatives, because they don’t perceive the threat, there 
is no particular push back, no incentives, as I said earlier, for peo- 
ple to install the more secure software in most situations. 

Mr. Langevin. Okay. 

Mr. Sastry. I share a lot of the comments made by Dr. Bellovin. 

Let me talk a little bit about the information-sharing, which is 
one of your questions. I think that information-sharing is an impor- 
tant step. The ISACs are certainly an attempt to try to get infor- 
mation-sharing across industry sectors. 

My perception is that there is a lot of concern in industry about 
sharing this information, partly because there isn’t a lot of sensi- 
tivity about how this information would be protected by FOIA re- 
quests. Of course, there are ways, there are other transactions, au- 
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thorities and other procurement mechanisms by which this infor- 
mation could be protected. I think industry needs to be sensitized 
to the fact that they can, in fact, share this information without its 
being open to public scrutiny. 

My sense also is that there is a certain amount of funding, and 
I think the Federal role in being able to smooth this information- 
sharing is not to be underestimated. I think that there is a sense 
that a lot of especially small companies feel that they are sort of 
doing that on their own dime. So I think that if they had a greater 
sense of feeling protected when they shared the information, and 
also they were given some help, some financial help, for sharing 
this, I think this would go a long ways to where it is helping the 
ISACs. 

Mr. Langevin. Could you expand on that. How we do that? How 
we foster that? 

Mr. Sastry. I think there are mechanisms inside DHS, and I 
think there are questions of appropriation of a certain amount of 
resources simply for the ISACs. And the other transaction author- 
ity is simply the contractual mechanism that can be — that can be 
chosen to be exercised by the Department of Homeland Security to 
actually protect the information from FOIA requests. 

I think they have the — I do think that they have the OTA au- 
thority to do so. The telecom — and the telecom folks that we talked 
to at BellSouth and others were really quite concerned about being 
sort of reassured about this, partly because this OTA is not a well- 
known contracting instrument, and people don’t know all of its pos- 
sibilities, I guess. 

Mr. Langevin. Thank you. 

Mr. Wolf. A major part of my mission, if you look at my mission 
statement, is to discover vulnerabilities, because my job is to pro- 
vide secure systems for the national security sector. So we put a 
lot of effort into discovering vulnerabilities. And we work very 
closely with industry. We work very closely with academics in 
terms of how we do that. 

We have various reach agreements such that — with various com- 
panies, they are called CRADAs, cooperative research agreements, 
so that we get access, for example, to source code, and again, with 
the idea of how do you improve the source code to improve the se- 
curity. When we find a problem, we go back to the company, we 
explain what the problem is, and in many cases provide them some 
of the technology to help improve their product, because, again, we 
are trying to build product. 

That is my main goal is to get product out there for the national 
security sector. Of course, the byproduct of that is it is dual-use 
technology. So anything I provide to national security in many 
cases can be applied other places. 

So I would say there is a very close relationship in terms of 
working with industry on that. I can probably go through many, 
many examples of successes that we have had in that area. 

You mentioned about security settings and benchmarking. I 
think that is a very, very important thing. I mentioned that in my 
testimony in terms of how do you configure things out of the box 
so that they are very secure. And we are very active in that par- 
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ticular area. Common criteria is something that we strongly sup- 
port. We put a lot of effort into common criteria. 

Common criteria, what it does is it is really, I will say, raising 
the bar, if you will, in terms of information assurance. It is not the 
ultimate answer, it doesn’t make it perfect, but what it does is it 
does put products through a fairly rigorous testing for certification, 
so that given a set of functions that the product is supposed to do, 
that you have demonstrated that it does do those functions under 
certain conditions. 

Now, again, it doesn’t solve all of problems, but it does raise the 
bar. And common criteria probably needs common criteria 2, some 
additional things to common criteria. And I share the comments 
and agree that common criteria can be a little expensive for compa- 
nies, and that is something we are also trying to work in terms of 
how we can improve either the timeliness of things getting through 
the process, or how we can do something in terms of helping in 
terms of financially. But that is a difficult problem to resolve. 

We have reached out to homeland security, in particular Bob 
Liscouski in the IP, and have talked to him about working with us 
in NIAP and how we can leverage the kinds of things that he needs 
to do with the national security sector. So together what we do is 
we come to the table with a larger, if you will, market share. If we 
just looked at the national security sector, that is not a big sector 
in terms of many of these products. So in terms of getting the 
things through common criteria through NIAP, if there is home- 
land security and national security, that makes it a much larger 
market, and makes it more cost-effective in terms of a company 
going through that and getting that process done. 

I guess the other question was about mandated standards. I 
don’t believe we should mandate standards. We should establish 
standards. We should sort of recommend standards. But I think, 
you know, one of the problems with standards, and I certainly see 
it in my sector, we have everything from a small military installa- 
tion with a small requirement to some large network like the 
SIPRNET, and to try to mandate one standard in those two ex- 
tremes is very, very difficult for anybody to meet. 

So I think you want to establish a set of standards, recommended 
standards, and do it that way rather than make it mandatory, be- 
cause one size does not fit all. 

Mr. Bellovin. Let me echo that. It if was that simple to ship a 
secure system, Microsoft and Sun Microsystems and everyone else 
would have done it years ago. How you use, how you configure a 
network or system depends on its purpose. A laptop that is used 
for text editing and e-mails has very different configuration re- 
quirements than a software development machine, which is very 
different than a Web server, which is very different than a data- 
base server and so on. 

There are about as many different uses of computers and con- 
figurations as there are computers, and one size does not fit all. 

Mr. Sastry. If I may just respond to your question of partner- 
ships. And now I will sort of take the academic. I think the prob- 
lems, the research problems and the development problems, are 
really too large for just about any group in this Nation. So I think 
it is especially important for research groups to work in teams. And 
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at Berkeley we have really found it very, very important to collabo- 
rate with large numbers of research groups across the length and 
breadth of the Nation. 

The questions are then about what facilitates this collaboration 
is really at the academic, at the research level, that we have open 
standards where we don’t use IP protections inside universities for 
protecting the kinds of software and systems research that we do, 
but at the same time we allow for industry partners to be able to 
uptake that information and take it out of the open source develop- 
ment, and then take it and encapsulate it into their products. And 
so, for instance, in sort of a research center and trust, which we 
are doing with Stanford, Carnegie Mellon, Cornell and Vanderbilt, 
we have found it very important that we voluntarily have adopted 
an open source IP policy amongst ourselves, while making sure 
that the companies, the industrial partners, can actually take the 
open source materials that are created, the secure trusted systems 
that are created, and then go take it into their proprietary prod- 
ucts. That is sort of something that I think that the research sector 
can do in this particular space. 

Mr. Wolf. One of the exciting things that is happening in NSA 
right now is that — . 

Mr. Thornberry. The gentleman from Rhode Island elicited a 
host of interesting responses, which we certainly may want to pur- 
sue, but in the interests of time, let me turn to other Members, be- 
cause we have gone well over double the 5 minutes. 

Mr. Langevin. I thank the Chairman for his latitude in allowing 
the panel to answer. 

Mr. Thornberry. I appreciate the gentleman’s questions. Excel- 
lent questions. 

Does Chairman Cox wish to ask questions at this time? 

Mr. Cox. I do. Thank you, Mr. Chairman. I wonder if I could ask 
Dr. Sastry and Mr. Wolf whether you agree with the statement 
made by Dr. Bellovin in his testimony that when it comes to cyber, 
most basic research is being done in our universities. Is that your 
opinion as well? 

Mr. Wolf. I would — 

Mr. Sastry. I am sorry? 

Mr. Cox. If you could not hear the question, I am asking whether 
you agree with Dr. Bellovin’s assessment that when it comes to 
cyber, most basic research is being done in our Nation’s univer- 
sities? 

Mr. Sastry. I would say so, even though there are pockets of ex- 
cellence in industrial research labs as well, such as Dr. Bellovin’s 
group itself 

Mr. Wolf. I would disagree. I would say it is done in many 
places. Cybersecurity covers — there are many facets to that. I 
would point to DARPA, I would point to NSF, I would point to 
some of the things that NSA is doing. I would point to the national 
labs. There is some very interesting work being done in the na- 
tional labs in cybersecurity. Again, some of that is classified re- 
search, so everybody doesn’t necessarily get to view that. 

Certainly in the academic areas, there is lots of work being done, 
and we partner with the academics, so it is being done in many 
places. I don’t think there is one area that — one organization that 
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you can point to, one entity, and say that they are doing most of 
it. 

Mr. Cox. Well, I ask the question not because I think that Dr. 
Bellovin would disagree with anything that you just said, but be- 
cause I think. Dr. Bellovin, one of the points that you are making 
is that it is — that we know essentially where the researchers are, 
and that it is difficult to scale up; that we can throw a lot of money 
at this, but we also have to spend just as much time thinking about 
which direction we are going, because we can’t make it up on vol- 
ume. We are not going to be able to reproduce all of this. Is that 
a fair statement of your point. Dr. Bellovin? 

Mr. Bellovin. Yes, that is it basically. I am not saying there is 
no basic research. There is certainly a very large need for applied 
research which does go on very many places. But university re- 
search can’t be scaled up, basic research can’t be scaled up by too 
much, because there aren’t the people to do it yet. 

Of course, these are the people who are training the future gen- 
erations of researchers. So it is very important that we encourage 
this, because it is not a problem that is going to go away any time 
soon. 

Mr. Cox. Well, taking that point, as supplemented and aug- 
mented by Mr. Wolfs comments, and we are well aware that we 
have the Federal piece, some of it is not public, so maybe our esti- 
mates of whether majorities here or there might even be a little 
soft, we are going to — I am going to infer from this, and this is the 
premise of my next question, that we are going to need to rely on 
our Nation’s universities for some of the big objectives that we are 
attempting to tackle here, that this is going to be a partnership, 
and the Federal Government is going to partner with our univer- 
sities. 

And then that takes me to, Mr. Wolf, your next point, and our 
Ranking Member Ms. Lofgren also questioned you about this a lit- 
tle bit, and that is our need to focus on U.S. technology, and wheth- 
er this is possible if we have open standards, if we have a lot of 
people participating, if we are using the private sector as well as 
universities, it is not all in a black program in the Federal Govern- 
ment; is it realistic to assume that this is possible? 

Mr. Wolf. Well, I think it would be difficult to say that we 
would use all U.S. That wasn’t my point. My point was really that 
there are certainly critical areas where you want to have a good 
control of, you know, your hardware and your software, maybe in 
a critical infrastructure, certainly in the national security sector. 

So if you have a system, you may want to look at certain areas 
and put better controls over the — I will say both the quality and 
the trustworthiness of the software. My comment about, you know, 
national software assurance laboratory, that may be a way of tak- 
ing software, wherever it is written, and be able to validate it and 
say, yes, this is trusted software. The world right now, we are — 
IT is globalizing. Lots of work is going offshore. The U.S. cannot 
do everything. As I say, it is globalizing. 

So it is a matter of how do you look at software code. How do 
you validate it? How do you say you trust it? So whether it is U.S. 
or foreign written, it is really a question of trust. How do you es- 
tablish trust in the software to make sure that it really does what 
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it says it does? So it is not only the quality, but also the 
tr usthwor thine ss . 

Mr. Cox. To the extent that our focus is on firewalls, or at least 
on that genre of technology that is meant to help networks resist 
attacks, an additional reason besides our own homeland security 
that we need to be concerned about theft, about penetration of 
these programs is that other nation states who are wary of the 
Internet, don’t want their citizens using it, and who are using black 
boxes and firewalls to prevent their citizens form having access to 
the outside world would be thrilled to lay their hands on the most 
sophisticated technology that we have developed at taxpayer ex- 
pense in order either to prevent their citizens from having access 
to the Web, or to trace the behavior of their citizens so that when 
they are doing things on the Internet that the government doesn’t 
approve of, they can land them in jail. 

What can we do, therefore, to focus on security of the tough 
measures that we are trying to develop in our own country? And 
for this purpose I include both cybersecurity and physical security. 
And I address that to all three members. My time has expired. I 
thank the Chairman. 

Mr. Sastry. So your question is really quite interesting. Let me 
first talk about security and privacy. So the questions about build- 
ing in privacy with — strong privacy with strong security, my own 
sense is that the kinds of technology solutions that help foster 
strong privacy include things like audit, include things like watch- 
ing the watchers to try to determine who is watching what; also, 
these questions of selective revelations, which means that queries 
are answered narrowly so as to selectively reveal information little 
by little rather than have access to a lot more than is asked for; 
and then finally the questions about being able to understand if 
certain privacy standards are being met, and there are a host of 
new technologies, such as encrypted queries, crypto protocols is 
what they are called, for being able to enforce that. 

So I think that in terms of taking worldwide leadership, I think 
we can really build in strong privacy into our strong security solu- 
tions. And then, of course, the questions of how this may be used 
overseas, of course those are much more complicated ones, but 
nonetheless we will have products which have strong privacy safe- 
guards build into it. So, I think that this is one thing that we can 
do to sort of foster our ideals, while providing strong security. 

And I think that this message is somehow a little different from 
a message which says that you have to give up privacy in order to 
get security, because the technology indicators are all that — in fact, 
they are mutually reinforcing, rather than one at the expense of 
the other. 

Mr. Wolf. Not necessarily a complete answer to your question, 
but certainly one of the things is — at the national security sector 
is that we do have levels of protection that you put into various 
systems. So, for example, levels of encryption, where you have 
the — I will say the high-grade encryption, which is for the most sig- 
nificant and the most sensitive communications, where you may 
have over levels of encryption that aren’t quite as good, but are 
still adequate to protect the information. 
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So you can think of that in terms of the products that we are 
putting out. You may have a higher level of protection in terms of 
protecting the power grid in a product than maybe the general 
product that would be available that would be sold overseas. So 
there are ways that you can do them. 

Mr. Bellovin. The firewall technology, one of the criticisms of 
firewalls is that they assume that everyone on the inside is a good 
guy, is following the rules. This is a problem in industry as well. 
But in terms of the model you speak of, with repressive govern- 
ments trying to isolate their citizens from the Internet, in that case 
it is the people on the inside who are actively trying to get around 
the firewall technology. And firewalls are not very good at that. 
There are some that do better than others. 

We are better off with strong firewall technology to protect our- 
selves with multiple overlapping layers of defense in depth to pre- 
vent people from the outside getting in, using overt mechanisms to 
provide insider behavior, ones that don’t scale to a whole country, 
whereas outbound traffic is relatively unrestricted, and you rely on 
internal auditing. That, I think, would not pose nearly as much of 
a threat of being used by repressive governments to keep their own 
citizens from accessing the Internet. So I don’t think there is any 
particular conflict there. 

Mr. Cox. Well, I am happy to hear that. 

Thank you, Mr. Chairman. 

Mr. Thornberry. Thank the Chairman. 

The gentleman from North Carolina. 

Mr. Etheridge. Thank you, Mr. Chairman. And let me thank 
you and the Ranking Member for this meeting, and for our distin- 
guished guests for being here today. It has been very interesting 
thus far, and I appreciate that. 

Gartner, Incorporated, a respected IT consulting organization, 
has estimated that about 90 percent of the cyber intrusions could 
be avoided if individuals and companies consistently maintained 
the security of their computer systems by monitoring use and in- 
stalling software patches to identify security flaws. 

Number one, do you agree with that? And, number two, do you 
believe that software vendors could make security maintenance a 
little more user-friendly? If each one of you would just touch on 
that. 

Mr. Bellovin. I would guess that it is more like 95 to 98 percent 
than 90 percent. I very much agree with that statement. But, as 
I indicated in my written testimony, patching systems, especially 
production systems, is a much more challenging thing than it 
should be. I will not update my PC after about April 1st until I 
have filed my taxes, because I can’t take the risk of some unrelated 
change disabling the tax preparation software I use. And you have 
got that problem in spades if you are running a corporate Web 
server, a major corporate or government database and so on. 

As Dr. Sastry has indicated, the composition of systems, the com- 
ponents of complex systems working together properly is a very, 
very difficult and unsolved problem. We don’t know how to do this. 
This is why patching is so hard. It is not that the administrators 
are irresponsible, or that the vendors haven’t supplied good tools. 
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it is that we don’t know how to do it easily, reliably and without 
breaking something else. 

Mr. Sastry. Mr. Etheridge, if you were like me, when you are 
installing a computer and you have all of these queries which say, 
will you do this, will you do this? I think everybody’s tendency is 
just to press, yes, yes, yes, or no, no, no randomly. So I think what 
you are alluding to is a big, big hot-button item. 

So people talking about human computer interaction. So I think 
the notion of human computer interaction for security to make it 
easier for people to actually understand what they are doing and 
be able to configure their systems is — I think is a vast and rather 
untapped area of research in cybersecurity. If anything is needed 
right away, it is one of those for the — and I agree with your statis- 
tics, too. 

Mr. Wolf. Operationally my organization does red-teaming, 
which is an organization that tries to penetrate networks. So we 
have customers in DOD that ask us to go look at their networks 
and to see if we can get into them. And I can verify that your 90 
percent is probably correct. It is the networks that haven’t been 
properly patched, configured properly. We look for those kinds of 
things. That is usually the door that we get in. 

If I look at the statistics that come out of the defense — of the 
DOD networks, that come out of the JTF-CNO, I think their state- 
ment is it is about 90 some percent of the attempts to hacks are 
really trying to get at things that haven’t been patched properly. 

In my testimony I talked about automatic patching and how that 
is a significant research agenda item. I believe that needs to be 
done. How do you make patching much easier for the system ad- 
ministrators? They are overwhelmed with the number of patches 
and problems and configuration settings that they have to do every 
day. And the idea of having preconfigured systems coming out of 
the box that are security-conscious in terms of here are the right 
settings, I think, is also another step forward. 

Mr. Etheridge. As you have noted before, and others before us, 
that the government, universities and the industry need to encour- 
age more students to get into math, science and all of the science 
areas of technology in order to produce more graduates who can 
deal not only with cybersecurity, but with this whole issue of tech- 
nology that we are dealing with. 

And let me go to each one of you on this one, starting with you. 
Dr. Sastry. Is the academic community acting in a way in retaining 
the number of scientists needed in the research area as it relates 
to cybersecurity as we look down the road, and, more specifically, 
making these systems more user-friendly? Because I think that is 
the key to getting the security. 

Mr. Sastry. Sir, it has been recognized that human computer 
interactions for cybersecurity is something that we need to focus 
on. The realization has kind of surprisingly recently. So in some 
ways the work is only now beginning. 

The questions about training the workforce, I think these are 
very, very — this is a really a very important item for us, because 
security, of course, depends on making sure that the entire popu- 
lace is educated about all the needs of cybersecurity, because, of 
course, it is only as strong as the weakest link. I think that there 
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has been in the last 2 years a shift in enrollments. I am in an elec- 
trical engineering computer science department. So there has been 
a shift away from computer science towards computer engineering, 
which in some ways is encouraging, because it does encourage peo- 
ple to now start thinking about information technology as a tech- 
nology that is woven into the fiber of our everyday life and into our 
societal scale systems. 

But other disturbing trends are that the percentage of women 
that are coming into electrical and computer engineering, we have 
actually given up the advances that we made in the mid-1990s in 
the last 4 or 5 years. That indeed is subject for concern; so also 
with other segments of the population. So at Berkeley, we have ac- 
tually started going out and visiting high schools to try to get them 
thinking about cybersecurity already in high school, and certainly 
in Oakland and San Jose and all of the neighboring schools. So 
your remarks are really on target for our priorities. 

Mr. Etheridge. Thank you, sir. I see that I am out of time. But 
I would be intrigued, because I think it is important in every area 
of industry as well. 

Mr. Bellovin. I don’t have anything to add on that. 

Mr. Wolf. I was just going to comment on our outreach program 
to educational institutions. We have the Centers of Excellence. We 
have 15 universities have an lA curriculum. We work with the 
service academies. We are currently starting to do some things at 
the community college level, sort of what you were saying in terms 
of kind of moving up through the lower levels up through the uni- 
versities. We clearly need to make more people aware of lA in 
terms of things that need to be done. 

Mr. Etheridge. Thank you. 

Mr. Thornberry. Thank the gentleman. 

The gentlelady from the Virgin Islands, Dr. Christensen. 

Mrs. Christensen. Thank you, Mr. Chairman. I don’t expect 
that — I want to thank you for this hearing as well. I am becoming 
better informed on the area of cybersecurity, although I am still far 
from being an expert. My questions are going to be a little dif- 
ferent. 

Dr. Sastry, in your testimony, you talked about whether the Fed- 
eral Government would play the role of market maker and asked 
was there sufficient demand to stimulate new companies around 
ideas. It would seem to me that a fairly sizable demand would be 
in the private sector, and incorporations for security and for 
cybersecurity. 

We recently did Bioshield to encourage and expedite the develop- 
ment of countermeasures for bioterrorism agents, which will in- 
volve a significant expenditure on the Federal Government’s part. 
Do you foresee in the area of cybersecurity that the Federal Gov- 
ernment would have to provide most of the funding, or do you see 
that there is really a sufficient demand in the private sector that 
there would be more cost-sharing on the private side, and there 
would seem more diverse use, other than for homeland security, for 
government use in these kind of products? 

Mr. Sastry. Thank you very much for your question. I think that 
the big market, of course, is in the private sector. And the big mar- 
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ket is in the infrastructures which are certainly not owned by the 
Federal Government, which are privately owned. 

The question, of course, has been about jump-starting this mar- 
ket. So, just to give you an example, there has been a big buzz in 
the venture community about investing in security for the last 2 
years. But, on the other hand, a number of the portfolio companies 
that come out of the venture community actually have not had a 
stream of revenue in secure products. So our sense is that since the 
Department of Homeland Security itself is committed to, in its Bor- 
der and Security Directorates, lAIP Directorates and the Emer- 
gency Protection Directorates, to buy secure products, our sense is 
that having this — having this sort of as a badge to distinguish 
these products will actually jump-start the market in the private 
sector. 

I think my own expectation is that that would not — it is not 
something that one ought to or perhaps could subsidize. On the 
other hand, I think that if one — when I said a market maker, it 
was just a question of jump-starting the market by adopting cer- 
tain sets of secure products in the beginning. 

I think the same — and the model, again, is a little bit like the 
DOD model. So the Internet actually grew from the ARPANET 
being used for certain DOD applications, and then sort of every- 
body else sort of jumped onto it, and so also for high-performance 
computing, which resulted in PCs. So that is sort of the market- 
maker analogy that I was using. 

Mr. Bellovin. I would agree that much of the funding and en- 
ergy has to come from industry. The Government’s role is to create 
the appropriate incentives. If you look at the history of, say, cryp- 
tography, there is 100 to 150 years’ worth of experience of people 
saying, I have got a really cryptographic solution and then going 
bankrupt because nobody wanted to buy it, because they didn’t ap- 
preciate that they actually needed this technology. 

We are sometimes seeing the same thing in the computer secu- 
rity community today. There are solutions that have not been 
adopted by corporations that don’t perceive the threat. It is only in 
the last few years that more than, say, the financial community 
and the military have really begun to realize that there is a real 
threat out there, and a real market. 

I note in the last year or so Microsoft has finally gotten religion 
about security and started to take some very admirable projects 
and efforts, from what I have heard, internally, doing a very nice 
job. But it is going to take years for this to have an effect. But the 
real question, and this is the role for government, is to create in- 
centives for corporations and government agencies to start thinking 
about security when they design systems and when they procure 
systems, creating the incentives for them to do so. That is a dif- 
ficult problem, but that is a role for government. 

Mr. Wolf. I would agree with some of the things that have been 
said so far, but I would sort of focus a little bit on the global IT, 
the amount that is being spent in the U.S. Government on IT, the 
amount that is being spent on information assurance kinds of prod- 
ucts. 

Mrs. Christensen. Can I just interrupt your answer to just add, 
that I understand that less than 1 percent of the science and the 
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technology budget, or about $80 million, is being directed to 
cybersecurity and R&D. Is that adequate? Could you also — . 

Mr. Wolf. I am sorry. Say that again. 

Mrs. Christensen. I understand that about $80 million is di- 
rected to cybersecurity R&D in the Science and Technology Direc- 
torate budget. It seems like you were going to talk about the 
amount of government spending. This is in the Department of 
Homeland Security. 

Mr. Wolf. Okay. I am not — 

Mrs. Christensen. Could you also respond to whether that is 
adequate? 

Mr. Wolf. I think we need to be spending more money in re- 
search really and in cybersecurity. I think there is a lot more 
things. I think we are underfunded in many areas. 

The comment that I was going to make is that, you know, we 
have tried to move from a demand — or a supply side to a demand; 
that customers are educated in terms of information assurance, in 
terms of cybersecurity, and they are looking for products and de- 
manding products, that they actually need them. 

That is one piece. The other piece is the idea of maybe looking 
at insurance. If you look at a facility in terms of you evaluated it, 
is it certified, and then there is an insurance break that goes along 
with the corporation that, quote, has good system administrators, 
they have gone through some certification process, you have a rea- 
sonable architecture, that is a way in terms of — rather than over- 
regulating or enforcing standards — that you indirectly, okay — ^you 
can create more of a demand for the products. 

Mrs. Christensen. Thank you. 

Thank you, Mr. Chairman. 

Mr. Thornberry. Thank the gentlelady. 

The gentleman from Kentucky Mr. Lucas. 

Mr. Lucas. Thank you, Mr. Chairman. 

This is a hypothetical, sort of a holistic, big picture question. I 
would ask each of you to comment on this. Let’s assume for the mo- 
ment that you have been put in charge of cybersecurity for the Fed- 
eral Government, Homeland Security, and have you been asked to 
prepare a budget for that job, to do an adequate job, and that you 
submit this budget, and you get a third of that budget, one-third 
of the money that you think you need. I would ask you how would 
you prioritize what you would spend that money on, if you only got 
a third of the resources that you felt you needed to do the job. I 
would like for each of you to answer that. 

Mr. Bellovin. Well, if you are talking about operational net- 
works, I would first put money into systems administration, be- 
cause, as we said, 90 percent of the attacks are from known holes 
that haven’t been patched. That would be my first priority, to im- 
prove the resources for system administration and what they need 
to do the job. Past that, for research funding, I would start to focus 
on composition of secure system development. 

Mr. Sastry. I understood your question to be about research 
money. Of course, for the operational aspects, I would fully agree 
with getting systems administration to the fore and empowering 
systems administrators to be more involved in decision-making. 
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For the research money, the way I see it, it is sort of a world of 
networks and systems. One has got to protect the systems of the 
computers, the networks on top of it, and then finally coalitions of 
systems on top of it. So I think that if the research money was cut 
in a third, I would make sure that there was coverage at every one 
of those levels, at the level of individual systems, at the level of 
networks, and then, of course, at coalitions, of groups of users. 

Having said that, I think then the question about a few areas to 
invest in, I think there the notion of how you build complicated 
systems which are trustable from pieces that can be trusted, which 
is the composition that we keep coming back to, needs to cut across 
all of these layers. Then I think the human computer interaction 
question that Mr. Ethridge raised, I think that is equally important 
to me. 

And finally, the third thing I would do would be the test beds 
to make sure that the research got out to companies that could 
then sort of produce product. 

So those are sort of a matrix. I would make sure that the net- 
work systems are all populated, and then the three areas — those 
would be my three pet areas. 

Mr. Wolf. I would start, I agree with the operational aspects, to 
make sure that your operational pieces were secure. So it is the 
system administrators, it is the patches, it is the kinds of things 
that we have talked about so far. 

The second area that I think I would look at would be sort of 
my — I will call it my infrastructure. Given that I only have a third 
of the budget that I need, I would look at my infrastructure and 
try to build an infrastructure that I could then build on in the fu- 
ture, so — as you get your funding for the following years. So, if you 
want to call it — maybe it is the — I won’t say the key management 
infrastructure, but it is the PKI, it is the kind of things that you 
could then build tools and techniques and products and services on 
in future years. That would be my second area. 

And the third, I think that I would take a step back, and I would 
look at all of my systems, my networks, my — whatever my oper- 
ation is, and I would try to identify what are the most — I will call 
them the critical areas and apply the dollars to those as maybe the 
third venture there. 

And, of course, I would also put a piece to research, because I 
think a lot of times we are very short-sighted when funds are cut — 
I worked for the government for many years — that we tend to cut 
the research piece. If you tend to favor the operational piece, but 
the research piece is your investment in the future. If you don’t put 
dollars towards that, then 5 years from now you will be dead in the 
water. 

Mr. Lucas. Thank you very much, Mr. Chairman. We have got 
a vote coming up, so I will stop there. 

Mr. Thornberry. The Chair appreciates the gentleman. 

Does the gentlelady from Texas have questions she would like to 
ask? 

Ms. Jackson-Lee. Thank you very much to the Chairman and 
the Ranking Member for holding this hearing. 

Mr. Chairman, I ask unanimous consent that my statement be 
submitted into the record. 
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Mr. Thornberry. Without objection. 

Ms. Jackson-Lee. I appreciate the testimony of the witnesses 
and their indulgence. I am in a Science Committee mark-up that 
is going on simultaneously, and so I thank you very much for your 
patience. 

I just want to focus in one area very quickly. We do have votes 
on. That is the need for the prominence of cybersecurity issues 
under the Department of Homeland Security. And what we have 
noted is that the funding has not been where we would like it to 
be. A Director has not yet been appointed. It all suggests that we 
need to refocus our attention on this area. 

So if you would answer these questions quickly, I would appre- 
ciate it. One, my understanding is, or my sense, that as we are 
going into the 21st century, Y2K we were all focused on what tech- 
nology, Internet, could do to this Nation. Literally we were in a 
panic about it being able to stop us in our tracks. After 9/11 we 
began to focus on some very real concerns about security. 

I don’t know where we placed the need and the focus of security 
in this instance, cyber security, inasmuch as we are still in the 
same boat, that the — the attack on our security infrastructure, our 
technology infrastructure could bring this Nation to its knees. So 
my question to you is have we focused enough? 

The second part of it, with respect to research, have we expanded 
it enough? I believe we should start expanding our reach to univer- 
sities around the Nation, research entities around the Nation, and 
as well make sure we include Hispanic-serving institutions, histori- 
cally black institutions. Native American-focused institutions, and 
others in areas that can address the questions of urban and rural 
security as relates to technology. 

And if you would answer those questions, I would appreciate it 
very much. And I thank the gentlemen for their testimony. 

Mr. Sastry. You have certainly hit the issues that are most im- 
portant to the research community. Our sense, too, is that it would 
be useful to have a focused Federal effort in cybersecurity research, 
and a focused effort which, in fact, involves groups of institutions 
across the length and breadth of the Nation. 

There is a very, very substantial educational agenda, and the 
educational agenda does indeed need to reach out to every corner, 
as you have correctly pointed out. I am in complete agreement. 

Now, the questions about — I do believe that DHS and HSARPA 
could be the place where cybersecurity research could be given 
marquis status and then be adequately funded and adequately 
managed. And I felt that the DARPA model was actually a pretty 
effective model for doing this. The Defense Advance Research 
Projects Agency, the DARPA model, was an executive model for 
managing — this is HSARPA. 

Ms. Jackson-Lee. You would encourage the creations of consor- 
tiums with joint working relationships with universities around the 
Nation? 

Mr. Sastry. Right. The coalitions, of course, could be created by 
the institutions themselves, or in the form of research programs in 
the DARPA model where you actually bring institutions together, 
and a program manager, a Federal program manager then sort of 
builds the bridges between those institutions. 
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Ms. Jackson-Lee. Do you see the need also for enhancing ex- 
perts within the minority communities, because we are certainly 
limited in the Ph.D. candidates and Ph.D. graduates from those 
communities? 

Mr. Sastry. That is absolutely true. And that is true all the way 
from the high school level up all of the way through the graduate 
programs and the faculty as well. 

Ms. Jackson-Lee. Anyone else? 

Mr. Bellovin. a national research counsel panel I was on noted 
that — concluded that today there probably could not be a massive 
disaster caused by a pure cyberattack, something close to the scale 
of 9/11. It doesn’t mean it can’t happen in the future. As we become 
more networked, as industrial processes, so-called SCADA systems, 
controlled power lines and industrial processes and so on, as things 
become more networked, the danger will increase. We have a few 
years before we are there. We need to take precautions right now. 

And I would note that everybody’s computers can be leveraged 
for launching attacks. There has been reports in the papers in the 
last few weeks about personal computers being hacked to serve 
spammers and pornographers and so on, which means that any- 
body’s computer in every sector of the society, we need to learn how 
to secure these. And individuals need to learn how to protect 
things, too. 

Ms. Jackson-Lee. Thank you. 

Mr. Wolf. There is a long list of research topics that need to be 
done, and clearly we need to leverage everybody in terms of work- 
ing on those topics. So the idea of having some sort of coordinated 
effort in terms of where research — who is doing what I think is 
needed. We have done a lot of outreach recently with DARPA, NSF, 
academics, et cetera, to try to understand where research is being 
done to leverage all of that. 

Second, we are going out to the academic institutions with our 
list to try to get some help in terms of doing the research, and that 
is all universities that are out there. 

And your other comment about the — sort of the threat. I am not 
sure we really understand the threat in terms of how serious an 
attack on the infrastructure of the U.S. could be. I think there 
needs to be some focus on that. 

Ms. Jackson-Lee. Thank you. 

Thank you, Mr. Chairman. 

Mr. Thornberry. I thank the gentlelady. 

As the witnesses know, we do have votes on. I am not going to 
ask you to stay during these votes. So, with each of your permis- 
sion, what I would like to do is submit some additional questions 
in writing to you. I think there are a number of areas that you 
have touched on that I want to follow up, including this whole soft- 
ware verification issue, this issue of translating research into the 
real world, which I think is a major, important issue. The whole 
human factors things that you all have talked about, about govern- 
ment research and how it affects the private market, you don’t 
have to write those down, we will send those to you in writing. 

Mr. Thornberry. But needless to say, you all have touched on 
a number of things that have been very helpful to us. I want to 
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thank each of you for taking the time to be here and to be with 
us today, and with that, this hearing stands adjourned. 

[Whereupon, at 11:45 a.m., the subcommittee was adjourned.] 
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